Dashboards & Visualizations

How to pass a token in to Dashboard with OR?

kiran331
Builder

Hello,

I have a field status with values new, active, reopen. I have to pass status values as (New or active or reopen).when I pass token with values its taking as AND, but a event has only one of them. How can I do it?

Tags (2)
0 Karma
1 Solution

rjthibod
Champion

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

View solution in original post

0 Karma

rjthibod
Champion

@kiran331, did my answer help you? If so, please accept it. If not, please clarify.

0 Karma

kiran331
Builder

It worked Thanks!

0 Karma

rjthibod
Champion

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...