Dashboards & Visualizations

How to pass a token in to Dashboard with OR?

kiran331
Builder

Hello,

I have a field status with values new, active, reopen. I have to pass status values as (New or active or reopen).when I pass token with values its taking as AND, but a event has only one of them. How can I do it?

Tags (2)
0 Karma
1 Solution

rjthibod
Champion

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

View solution in original post

0 Karma

rjthibod
Champion

@kiran331, did my answer help you? If so, please accept it. If not, please clarify.

0 Karma

kiran331
Builder

It worked Thanks!

0 Karma

rjthibod
Champion

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...