Solved: Re: How can I use part of a token in a search?

danielbb · ‎04-03-2022

I have a piece of code as -

| rex field=$AppNC$ ".*\/(?<ChosenAppCode>.*"
| search job_name=* U_APP_CODE=ChosenAppCode

From the drop down the AppNC (App Name Code) is chosen and the search should have the app code part.

How can the following be dynamic ?

U_APP_CODE=ChosenAppCode

Meaning, ChosenAppCode, would be the code extracted in the line above?

ITWhisperer · ‎04-04-2022

rex will work on fields not tokens, so eval a field to the token and rex that or create an extra token in the change handler of the dropdown to have the part of the token you want for your search (using a where command as @bowesmana suggested)

View solution in original post

danielbb · ‎04-05-2022

Thank you both, it's working now.

VatsalJagani · ‎04-05-2022

@danielbb - Please consider accepting the answer which helped you!!

ITWhisperer · ‎04-04-2022

rex will work on fields not tokens, so eval a field to the token and rex that or create an extra token in the change handler of the dropdown to have the part of the token you want for your search (using a where command as @bowesmana suggested)

bowesmana · ‎04-03-2022

Instead of using search command, where you can't search for a field value, use where, e.g.

| where match(job_name, ".*") AND U_APP_CODE=ChosenAppCode

Note that if you use where, then you need to use match() command for wildcard matching and that uses regex. Depending on how you are searching for job_name, you could do both search and where.

How can I use part of a token in a search?

token

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor