Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best Way to Search based on a Token Value

strehb18
Path Finder
‎11-30-2020 11:33 AM

Hello,

I am trying to find the best way to change my search based on a token value that I will pass through an input. Right now, I have a search that is filtered by a production area. I would like to be able to in that search, use the sub production area instead if one is selected. Both of these values have a token associated with them. $production_area$ and $sub_production_area$. I couldn't get a conditional in a search to work. I would only like to search based on the sub production area if a value other than the default is selected. The current search limits results by production_area=$production_area$. 

I can provide more information if needed. I had trouble wording the question to fully explain what I am looking for. 

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎11-30-2020 10:11 PM

Assuming that you have  a search along the lines of

index="your index" "search terms" production_area=$production_area$

You want to add another filter $sub_production_area$ only if user chooses sub_production_area value other than default. Is that correct? Can't we set the default value to * and set the $sub_production_area$ filter in the search ?

Can you please share xml of your dashboard and specify what change you would like to have ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

strehb18
Path Finder
‎12-01-2020 09:17 AM

That is mostly correct. I would like to search production_area=$production_area$ unless a sub_production_area is not at the default. Then I would like to search production_area=$sub_production_area$. 

Thinking about it now, the ideal solution would be to add the subs into the production_area dropdown, but I don't want all that clutter in the dropdown. 

| search index=def_mfg source=work_order production_area=$select_production_area$
Is the main search. 

The tokens are created through inputs. I can put those in but they will fill the page a bit. 


0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...