Solved: run specific query depens on token value

spisiakmi · ‎04-24-2024

Hi,

on a dashboard I have a simple check box element: LastOne_tkn (token name). If the check box is enabled, the LastOne_tkn=TRUE. There is simple small table view, which shows some results. I would like to run query in that table view based on LastOne_tkn condition.

LastOne_tkn=TRUE (dedup activated)

index=machinedata
| dedup Attr1
| table Attr1, Attr2

LastOne_tkn=otherwise (dedup deactivated)

index=machinedata
| table Attr1, Attr2

Any idea, please?

ITWhisperer · ‎04-25-2024

Rather than setting the value to true, set it to the line you want in your search

    <input type="checkbox" token="LastOne_tkn">
      <label>Dedup</label>
      <choice value="| dedup Attr1">Dedup</choice>
      <default></default>
      <initialValue></initialValue>
    </input>

Then use the token in your search

index=machinedata
$LastOne_tkn$
| table Attr1, Attr2

View solution in original post

ITWhisperer · ‎04-25-2024

Rather than setting the value to true, set it to the line you want in your search

    <input type="checkbox" token="LastOne_tkn">
      <label>Dedup</label>
      <choice value="| dedup Attr1">Dedup</choice>
      <default></default>
      <initialValue></initialValue>
    </input>

Then use the token in your search

index=machinedata
$LastOne_tkn$
| table Attr1, Attr2

spisiakmi · ‎04-25-2024

Hi ITWhisperer,

exactly this very simple elegant solution I needed. Thank you very much. Works fine.

run specific query depens on token value

using Splunk Enterprise

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

run specific query depens on token value

using Splunk Enterprise

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR