Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I pass a boolean string in token

tkwaller1
Path Finder
‎12-12-2023 08:40 AM

Hello

 

Im working on testing something but Im not sure exactly would be the best solution. What I am trying to do is, using the timepicker, have a panel that loads id's. Then I'd like another panel to search over the same timespan, in a different dataset, but only for the id's from the first panel.


Is there a way to pass the results of a search that runs on page load to another search, maybe with a token(s)? the catch is that there may be a single id or there may be many id's. It would have to be a boolean of some sort I believe unless there's a better way to search one to many instances of a something.
 
My thinking is something like 
search 1:
<base search> | stats count by MSGID | fields - count
that populates a <tok> on page load(or time selection) but the results would have to be formatted like 

 

654165464 OR MSGID=584548549494 OR MSGID=54654645645

 


search 2
<base search2> MSGID=<tok> | stats count by MSGID | fields - count

Is this something that can be done? What might I have to do to accomplish this?

Thanks for the assistance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top