Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search after Lookup

akira2211
Explorer
‎12-28-2020 07:33 PM

How can I search only match field after Lookup.

 

For example,

 

 

index="idx_mem_mng" sourcetype="type:mem_mng:apptc_detect_error" 
| where error_count > 2 and error_type != ""
| lookup MEMORY_MANAGEMENT_APPTC_TEST_CASE.csv id as id_test_case output testcase, process
| lookup MEMORY_MANAGEMENT_APPTC_DAILY_INFO.csv id as id_daily_info output version
| search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203
| mvcombine delim="," version
| sort -version
| stats list(version) as COLUMN delim="," by testcase, process 
| nomv COLUMN
| table testcase, process, COLUMN

 

 

 

I want to replace 

 

 

| search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203

 

 

by 

 

 

|search version=$vers$

 

 

where $vers$ is multiple input (ex vers = 20201211 OR 20201207 OR 20201204 OR 20201203)

 

When I replace, it doesn't work. Any help plz? Thank you for your time!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-28-2020 08:16 PM

You may either set the token with delimiters and include "version" string in the token itself

e.g.

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <valuePrefix>version="</valuePrefix>
      <delimiter> OR </delimiter>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>$version$</h1>
      </html>
    </panel>
  </row>
</form>

OR

Add an IN clause

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>where version in ($version$)</h1>
      </html>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-28-2020 08:16 PM

You may either set the token with delimiters and include "version" string in the token itself

e.g.

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <valuePrefix>version="</valuePrefix>
      <delimiter> OR </delimiter>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>$version$</h1>
      </html>
    </panel>
  </row>
</form>

OR

Add an IN clause

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>where version in ($version$)</h1>
      </html>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

akira2211
Explorer
‎12-28-2020 08:33 PM

Thank you renjith_nair 🙂

 

You are right,

I found solution when add Prefix as bellow.

<valuePrefix>version=</valuePrefix>

 

Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-28-2020 08:50 PM

@akira2211, glad it worked. Appreciate a 👍  on the post 🙂

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...