Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search after Lookup

akira2211
Explorer
‎12-28-2020 07:33 PM

How can I search only match field after Lookup.

 

For example,

 

 

index="idx_mem_mng" sourcetype="type:mem_mng:apptc_detect_error" 
| where error_count > 2 and error_type != ""
| lookup MEMORY_MANAGEMENT_APPTC_TEST_CASE.csv id as id_test_case output testcase, process
| lookup MEMORY_MANAGEMENT_APPTC_DAILY_INFO.csv id as id_daily_info output version
| search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203
| mvcombine delim="," version
| sort -version
| stats list(version) as COLUMN delim="," by testcase, process 
| nomv COLUMN
| table testcase, process, COLUMN

 

 

 

I want to replace 

 

 

| search version=20201211 OR version=20201207 OR version=20201204 OR version=20201203

 

 

by 

 

 

|search version=$vers$

 

 

where $vers$ is multiple input (ex vers = 20201211 OR 20201207 OR 20201204 OR 20201203)

 

When I replace, it doesn't work. Any help plz? Thank you for your time!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-28-2020 08:16 PM

You may either set the token with delimiters and include "version" string in the token itself

e.g.

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <valuePrefix>version="</valuePrefix>
      <delimiter> OR </delimiter>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>$version$</h1>
      </html>
    </panel>
  </row>
</form>

OR

Add an IN clause

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>where version in ($version$)</h1>
      </html>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-28-2020 08:16 PM

You may either set the token with delimiters and include "version" string in the token itself

e.g.

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <valuePrefix>version="</valuePrefix>
      <delimiter> OR </delimiter>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>$version$</h1>
      </html>
    </panel>
  </row>
</form>

OR

Add an IN clause

<form>
  <label>Version</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="version">
      <label>Version</label>
      <choice value="20201211">20201211</choice>
      <choice value="20201207">20201207</choice>
      <choice value="20201204">20201204</choice>
      <choice value="20201203">20201203</choice>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>where version in ($version$)</h1>
      </html>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

akira2211
Explorer
‎12-28-2020 08:33 PM

Thank you renjith_nair 🙂

 

You are right,

I found solution when add Prefix as bellow.

<valuePrefix>version=</valuePrefix>

 

Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-28-2020 08:50 PM

@akira2211, glad it worked. Appreciate a 👍  on the post 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...