Use token in IN-Clause

danielsuter · ‎03-22-2019

I'm using a where field in ("term1", "term2") clause in a search. The terms should come from a token but I'm having troubles to do that. The search never fires or I get syntax problems.

I have a single select drop down from which the values for the in clause are coming:

<input type="dropdown" token="service">
  <label>Some label</label>
  <choice value="here come multiple terms">All</choice>
  <choice value="here comes one term">One term desc</choice>
</input>

Now I want to use it in my search clause

        | where service_field in($service$)

somesoni2 · ‎03-22-2019

The value list in infunction is a comma separated quoted strings. Make sure your dropdown is formatting it that way.

renjith_nair · ‎03-22-2019

@danielsuter,

Is the dropdown populated by dynamic search or static values ? How do you represent value for "All" ?

If they are static, would this work ?

    <input type="dropdown" token="service">
      <label>Terms</label>
      <choice value="&quot;A&quot;, &quot;B&quot;,&quot;C&quot;">All</choice>
      <choice value="&quot;here comes one term&quot;">One term desc</choice>
    </input>

---
What goes around comes around. If it helps, hit it with Karma 🙂

Use token in IN-Clause

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application