Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I pass a boolean string in token

tkwaller1
Path Finder
‎12-12-2023 08:40 AM

Hello

 

Im working on testing something but Im not sure exactly would be the best solution. What I am trying to do is, using the timepicker, have a panel that loads id's. Then I'd like another panel to search over the same timespan, in a different dataset, but only for the id's from the first panel.


Is there a way to pass the results of a search that runs on page load to another search, maybe with a token(s)? the catch is that there may be a single id or there may be many id's. It would have to be a boolean of some sort I believe unless there's a better way to search one to many instances of a something.
 
My thinking is something like 
search 1:
<base search> | stats count by MSGID | fields - count
that populates a <tok> on page load(or time selection) but the results would have to be formatted like 

 

654165464 OR MSGID=584548549494 OR MSGID=54654645645

 


search 2
<base search2> MSGID=<tok> | stats count by MSGID | fields - count

Is this something that can be done? What might I have to do to accomplish this?

Thanks for the assistance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...