How to get token values from dropdown to splunk qu...

karthi2809 · ‎04-18-2024

Thanks in advance .

I am trying to fetch application name and inteface details from input lookup and match with the splunk query .But i am getting below error.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: applicationName=applicationName.

<input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$">
      <label>ApplicationName</label>
      <choice value="*">All</choice>
      <search>
        <query>
       | inputlookup BankIntegration.csv  
       | dedup APPLICATION_NAME
       | sort APPLICATION_NAME
       | table APPLICATION_NAME
      </query>
      </search>
      <fieldForLabel>ApplicationName</fieldForLabel>
      <fieldForValue>APPLICATION_NAME</fieldForValue>
      <default>*</default>
      <prefix>applicationName="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$">
      <label>InterfaceName</label>
      <choice value="*">All</choice>
      <search>
        <query>
       | inputlookup BankIntegration.csv  
       | search $BankApp$
       | sort INTERFACE_NAME
       | table INTERFACE_NAME
    </query>
      </search>
      <fieldForLabel>InterfaceName</fieldForLabel>
      <fieldForValue>INTERFACE_NAME</fieldForValue>
      <default>*</default>
      <prefix>InterfaceName="</prefix>
      <suffix>"</suffix>
    </input>

renjith_nair · ‎04-18-2024

Try changing the applicationName to APPLICATION_NAME in the prefix

     <input type="dropdown" token="BankApp" searchWhenChanged="true">
        <label>ApplicationName</label>
        <choice value="*">All</choice>
        <search>
          <query>
       | inputlookup BankIntegration.csv  
       | dedup APPLICATION_NAME
       | sort APPLICATION_NAME
       | table APPLICATION_NAME
      </query>
        </search>
        <fieldForLabel>ApplicationName</fieldForLabel>
        <fieldForValue>APPLICATION_NAME</fieldForValue>
        <default>*</default>
        <prefix>APPLICATION_NAME="</prefix>
        <suffix>"</suffix>
      </input>

in the second look up, you are trying to filter with applicationName="" where as the lookup file seems to have APPLICATION_NAME as header

---
What goes around comes around. If it helps, hit it with Karma 🙂

karthi2809 · ‎04-18-2024

Yes, But its still showing same error

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand

side: applicationName=APPLICATION_NAME.

This the query which i am using:

index=mulesoft environment=$env$ applicationName=$BankApp$ InterfaceName=$interface$ (priority="ERROR" OR priority="WARN")  | stats  values(*) as * by correlationId | rename  content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName 
 content.ErrorMsg as ErrorMsg   | eval  Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields  Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where  FileList!=" "

ITWhisperer · ‎04-18-2024

Since you already have applicationName=" as your prefix, this line

index=mulesoft environment=$env$ applicationName=$BankApp$ InterfaceName=$interface$

will expand to

index=mulesoft environment=$env$ applicationName=applicationName="*" InterfaceName=InterfaceName="*"

Either remove applicationName= from your prefix or from your search

index=mulesoft environment=$env$ $BankApp$ $interface$

ITWhisperer · ‎04-18-2024

Your fieldForLabel has to be a field returned by the search query, which it isn't in both instances

How to get token values from dropdown to splunk query?

Classic dashboard

token

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation