Splunk Dev
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to replace query input variables with variable values

ayushipaul
Engager
‎02-29-2024 01:58 AM

</input>
<input type="dropdown" token="project">
<label>Project</label>
<choice value="tok1*">Token1</choice>
<choice value="tok2*">Token2</choice>
<default>tok1</default>
<initialValue>tok1</initialValue>
<change>
<condition value="tok1">
<set token="x-key">key1-</set>
</condition>
<condition value="tok2">
<set token="x-key">key2-</set>
</condition>
</change>
</input>

<input type="multiselect" token="minorstate">
<label>minorstate</label>
<choice value="*">All</choice>
<choice value="&quot;a&quot;, &quot;b&quot;, &quot;c&quot;, &quot;d&quot;,">Minorstate</choice>
<default>"""a"", ""b"", ""c"", ""d""</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>a,"b","c","d"</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> , </delimiter>
<fieldForLabel>minorstate</fieldForLabel>
<fieldForValue>minorstate</fieldForValue>
<search>
<query>index=dunamis* sourcetype=dunamis_* producer=dunamis project=$project$ "x-key=$x-key$" | stats count by minorstate</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</input>

The variables $project$ and $x-key$ are not getting replaced by the values that are being set in the dropdown. Can someone please help? Thank you!

0 Karma
Reply

renjith_nair
Legend
‎03-01-2024 07:43 PM

Can you try changing the condition value to tok1* instead of tok1 ?

 

Here is a run anywhere example for reference

<form version="1.1" theme="light">
  <label>Tokens</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="project" searchWhenChanged="true">
      <label>Project</label>
      <choice value="tok1*">Token1</choice>
      <choice value="tok2*">Token2</choice>
      <change>
        <condition value="tok1*">
          <set token="x-key">Key1</set>
        </condition>
        <condition value="tok2*">
          <set token="x-key">Key2</set>
        </condition>
      </change>
    </input>
    <input type="multiselect" token="Record">
      <label>Record</label>
      <delimiter> ,</delimiter>
      <fieldForLabel>Record</fieldForLabel>
      <fieldForValue>Record</fieldForValue>
      <search>
        <query>|makeresults count=5|streamstats count|eval Record="Record".count|eval count=ceil(count/2)|eval project="tok".count."abc",x-key="Key".count|fields - _time,count|search project=$project$ AND x-key=$x-key$</query>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Project = $project$  , Key = $x-key$, Record = $Record$</title>
      <table>
        <title>Results</title>
        <search>
          <query>|makeresults count=5|streamstats count|eval Record="Record".count|eval count=ceil(count/2)|eval project="tok".count."abc",x-key="Key".count|fields - _time,count|where Record in ($Record$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top