Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

generate dynamic search using lookup

splunk403
Explorer
‎03-01-2017 01:11 PM

Hi All ,

I had a lookup table with servername and jvmname :

ServerName Jvmname
server1 jvm1
server1 jvm2
server1 jvm3

Able to get server1 in drop down through lookup .From the dropdown when i select server1 ,how can i generate search query similar to below

sourcetype=jvmtype (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)

Any quick help is highly appreciated .

Thanks

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎03-01-2017 03:24 PM 
your base search 
    [|inputlookup myinput.csv | search ServerName=$TheServerToken$ |
     table Jvmname | rename Jvmname as jvm | format] 
| whatever else you want to do with the search

in the above code $TheServerToken$ would be whatever value you are passing back from the dropdown.

What this subsearch does is create a table of desired values for jvm, and then the format command changes the output from the subsearch to look like

 ((jvm="jvm1") OR (jvm="jvm2") OR (jvm="jvm3"))

When the subsearch returns that code into the original base search, the search acts like that code was always there.

0 Karma
Reply

splunk403
Explorer
‎03-01-2017 04:58 PM

Thanks for the prompt response .This is one way of achieving it .

Is there a way we can get through token or field value when we select a server in drop down(multiselect or single select) as this is common logic in all panels

Thanks

0 Karma
Reply

DalJeanis
Legend
‎03-01-2017 06:11 PM

That's what i just gave you. The server value is what you feed into $TheServerToken$ in that subsearch in order to pull the jvm data from the lookup table and feed it to the search.

0 Karma
Reply

splunk403
Explorer
‎03-02-2017 01:48 PM

Hi Dal,

Subsearch will increase overhead .I am looking if the token value of drop down selected should generate/should be like a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Like when i selected server1 in drop down the token value of it should be a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...