Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best Way to Search based on a Token Value

strehb18
Path Finder
‎11-30-2020 11:33 AM

Hello,

I am trying to find the best way to change my search based on a token value that I will pass through an input. Right now, I have a search that is filtered by a production area. I would like to be able to in that search, use the sub production area instead if one is selected. Both of these values have a token associated with them. $production_area$ and $sub_production_area$. I couldn't get a conditional in a search to work. I would only like to search based on the sub production area if a value other than the default is selected. The current search limits results by production_area=$production_area$. 

I can provide more information if needed. I had trouble wording the question to fully explain what I am looking for. 

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-30-2020 10:11 PM

Assuming that you have  a search along the lines of

index="your index" "search terms" production_area=$production_area$

You want to add another filter $sub_production_area$ only if user chooses sub_production_area value other than default. Is that correct? Can't we set the default value to * and set the $sub_production_area$ filter in the search ?

Can you please share xml of your dashboard and specify what change you would like to have ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

strehb18
Path Finder
‎12-01-2020 09:17 AM

That is mostly correct. I would like to search production_area=$production_area$ unless a sub_production_area is not at the default. Then I would like to search production_area=$sub_production_area$. 

Thinking about it now, the ideal solution would be to add the subs into the production_area dropdown, but I don't want all that clutter in the dropdown. 

| search index=def_mfg source=work_order production_area=$select_production_area$
Is the main search. 

The tokens are created through inputs. I can put those in but they will fill the page a bit. 


0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...