Splunk Search

Best Way to Search based on a Token Value

strehb18
Path Finder

Hello,

I am trying to find the best way to change my search based on a token value that I will pass through an input. Right now, I have a search that is filtered by a production area. I would like to be able to in that search, use the sub production area instead if one is selected. Both of these values have a token associated with them. $production_area$ and $sub_production_area$. I couldn't get a conditional in a search to work. I would only like to search based on the sub production area if a value other than the default is selected. The current search limits results by production_area=$production_area$. 

I can provide more information if needed. I had trouble wording the question to fully explain what I am looking for. 

Labels (3)
0 Karma

renjith_nair
Legend

Assuming that you have  a search along the lines of

index="your index" "search terms" production_area=$production_area$

You want to add another filter $sub_production_area$ only if user chooses sub_production_area value other than default. Is that correct? Can't we set the default value to * and set the $sub_production_area$ filter in the search ?

Can you please share xml of your dashboard and specify what change you would like to have ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

strehb18
Path Finder

That is mostly correct. I would like to search production_area=$production_area$ unless a sub_production_area is not at the default. Then I would like to search production_area=$sub_production_area$. 

Thinking about it now, the ideal solution would be to add the subs into the production_area dropdown, but I don't want all that clutter in the dropdown. 

| search index=def_mfg source=work_order production_area=$select_production_area$
Is the main search. 

The tokens are created through inputs. I can put those in but they will fill the page a bit. 


0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...