Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- How to replace query input variables with variable...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to replace query input variables with variable values
</input>
<input type="dropdown" token="project">
<label>Project</label>
<choice value="tok1*">Token1</choice>
<choice value="tok2*">Token2</choice>
<default>tok1</default>
<initialValue>tok1</initialValue>
<change>
<condition value="tok1">
<set token="x-key">key1-</set>
</condition>
<condition value="tok2">
<set token="x-key">key2-</set>
</condition>
</change>
</input>
<input type="multiselect" token="minorstate">
<label>minorstate</label>
<choice value="*">All</choice>
<choice value=""a", "b", "c", "d",">Minorstate</choice>
<default>"""a"", ""b"", ""c"", ""d""</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>a,"b","c","d"</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> , </delimiter>
<fieldForLabel>minorstate</fieldForLabel>
<fieldForValue>minorstate</fieldForValue>
<search>
<query>index=dunamis* sourcetype=dunamis_* producer=dunamis project=$project$ "x-key=$x-key$" | stats count by minorstate</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</input>
The variables $project$ and $x-key$ are not getting replaced by the values that are being set in the dropdown. Can someone please help? Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try changing the condition value to tok1* instead of tok1 ?
Here is a run anywhere example for reference
<form version="1.1" theme="light">
<label>Tokens</label>
<fieldset submitButton="false">
<input type="dropdown" token="project" searchWhenChanged="true">
<label>Project</label>
<choice value="tok1*">Token1</choice>
<choice value="tok2*">Token2</choice>
<change>
<condition value="tok1*">
<set token="x-key">Key1</set>
</condition>
<condition value="tok2*">
<set token="x-key">Key2</set>
</condition>
</change>
</input>
<input type="multiselect" token="Record">
<label>Record</label>
<delimiter> ,</delimiter>
<fieldForLabel>Record</fieldForLabel>
<fieldForValue>Record</fieldForValue>
<search>
<query>|makeresults count=5|streamstats count|eval Record="Record".count|eval count=ceil(count/2)|eval project="tok".count."abc",x-key="Key".count|fields - _time,count|search project=$project$ AND x-key=$x-key$</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<title>Project = $project$ , Key = $x-key$, Record = $Record$</title>
<table>
<title>Results</title>
<search>
<query>|makeresults count=5|streamstats count|eval Record="Record".count|eval count=ceil(count/2)|eval project="tok".count."abc",x-key="Key".count|fields - _time,count|where Record in ($Record$)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
