Splunk Search

Best Way to Search based on a Token Value

strehb18
Path Finder

Hello,

I am trying to find the best way to change my search based on a token value that I will pass through an input. Right now, I have a search that is filtered by a production area. I would like to be able to in that search, use the sub production area instead if one is selected. Both of these values have a token associated with them. $production_area$ and $sub_production_area$. I couldn't get a conditional in a search to work. I would only like to search based on the sub production area if a value other than the default is selected. The current search limits results by production_area=$production_area$. 

I can provide more information if needed. I had trouble wording the question to fully explain what I am looking for. 

Labels (3)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Assuming that you have  a search along the lines of

index="your index" "search terms" production_area=$production_area$

You want to add another filter $sub_production_area$ only if user chooses sub_production_area value other than default. Is that correct? Can't we set the default value to * and set the $sub_production_area$ filter in the search ?

Can you please share xml of your dashboard and specify what change you would like to have ?

0 Karma

strehb18
Path Finder

That is mostly correct. I would like to search production_area=$production_area$ unless a sub_production_area is not at the default. Then I would like to search production_area=$sub_production_area$. 

Thinking about it now, the ideal solution would be to add the subs into the production_area dropdown, but I don't want all that clutter in the dropdown. 

| search index=def_mfg source=work_order production_area=$select_production_area$
Is the main search. 

The tokens are created through inputs. I can put those in but they will fill the page a bit. 


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!