Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- generate dynamic search using lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
generate dynamic search using lookup
Hi All ,
I had a lookup table with servername and jvmname :
ServerName Jvmname
server1 jvm1
server1 jvm2
server1 jvm3
Able to get server1 in drop down through lookup .From the dropdown when i select server1 ,how can i generate search query similar to below
sourcetype=jvmtype (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)
Any quick help is highly appreciated .
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your base search
[|inputlookup myinput.csv | search ServerName=$TheServerToken$ |
table Jvmname | rename Jvmname as jvm | format]
| whatever else you want to do with the search
in the above code $TheServerToken$ would be whatever value you are passing back from the dropdown.
What this subsearch does is create a table of desired values for jvm, and then the format command changes the output from the subsearch to look like
((jvm="jvm1") OR (jvm="jvm2") OR (jvm="jvm3"))
When the subsearch returns that code into the original base search, the search acts like that code was always there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the prompt response .This is one way of achieving it .
Is there a way we can get through token or field value when we select a server in drop down(multiselect or single select) as this is common logic in all panels
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what i just gave you. The server value is what you feed into $TheServerToken$ in that subsearch in order to pull the jvm data from the lookup table and feed it to the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dal,
Subsearch will increase overhead .I am looking if the token value of drop down selected should generate/should be like a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"
Like when i selected server1 in drop down the token value of it should be a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
