Splunk Search

Best Way to Search based on a Token Value

strehb18
Path Finder

Hello,

I am trying to find the best way to change my search based on a token value that I will pass through an input. Right now, I have a search that is filtered by a production area. I would like to be able to in that search, use the sub production area instead if one is selected. Both of these values have a token associated with them. $production_area$ and $sub_production_area$. I couldn't get a conditional in a search to work. I would only like to search based on the sub production area if a value other than the default is selected. The current search limits results by production_area=$production_area$. 

I can provide more information if needed. I had trouble wording the question to fully explain what I am looking for. 

Labels (3)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Assuming that you have  a search along the lines of

index="your index" "search terms" production_area=$production_area$

You want to add another filter $sub_production_area$ only if user chooses sub_production_area value other than default. Is that correct? Can't we set the default value to * and set the $sub_production_area$ filter in the search ?

Can you please share xml of your dashboard and specify what change you would like to have ?

Happy Splunking!
0 Karma

strehb18
Path Finder

That is mostly correct. I would like to search production_area=$production_area$ unless a sub_production_area is not at the default. Then I would like to search production_area=$sub_production_area$. 

Thinking about it now, the ideal solution would be to add the subs into the production_area dropdown, but I don't want all that clutter in the dropdown. 

| search index=def_mfg source=work_order production_area=$select_production_area$
Is the main search. 

The tokens are created through inputs. I can put those in but they will fill the page a bit. 


0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...