Dashboards & Visualizations

How can I use part of a token in a search?

danielbb
Motivator

I have a piece of code as - 

| rex field=$AppNC$ ".*\/(?<ChosenAppCode>.*"
| search job_name=* U_APP_CODE=ChosenAppCode

 From the drop down the AppNC (App Name Code) is chosen and the search should have the app code part.

How can the following be dynamic ?

U_APP_CODE=ChosenAppCode

Meaning, ChosenAppCode, would be the code extracted in the line above? 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

rex will work on fields not tokens, so eval a field to the token and rex that or create an extra token in the change handler of the dropdown to have the part of the token you want for your search (using a where command as @bowesmana suggested)

View solution in original post

danielbb
Motivator

Thank you both, it's working now.

0 Karma

VatsalJagani
Champion

@danielbb - Please consider accepting the answer which helped you!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

rex will work on fields not tokens, so eval a field to the token and rex that or create an extra token in the change handler of the dropdown to have the part of the token you want for your search (using a where command as @bowesmana suggested)

bowesmana
SplunkTrust
SplunkTrust

Instead of using search command, where you can't search for a field value, use where, e.g.

| where match(job_name, ".*") AND U_APP_CODE=ChosenAppCode

Note that if you use where, then you need to use match() command for wildcard matching and that uses regex. Depending on how you are searching for job_name, you could do both search and where.

 

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...