Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I create a search parameter that maps to multiple field values?

griffins
Explorer
‎06-08-2022 09:07 AM

For context, I'm creating a dashboard where a user can search activity of all hosts in an environment or one host in that same environment. Unfortunately, the naming convention used for hostnames makes searching all hosts in a specific environment a bit more complicated than using a single field/value pair with a wildcard. For example, searching all non-production hosts would require a search similar to the following in my case:

 

index=servers host!="*prd*" AND (host="*30*" OR host="*40*")

 

In the dashboard, I'd like the user to be able to select a single hostname from a dropdown, or an "All Servers" option from the dropdown.

With that being said, is there a way I can map all the hostnames to a single "field value" such that something like...

 

index=servers host=allhosts

 

 ...would accomplish the same thing as my initial search example?

This would be helpful as it would allow me to use a token for the host field when a user selects an option from the hosts dropdown.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-08-2022 10:17 AM

hi @griffins ,

 

Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes

 

Thanks, 

 

Jamie

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-08-2022 10:17 AM

hi @griffins ,

 

Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes

 

Thanks, 

 

Jamie

0 Karma
Reply
Solved! Jump to solution

griffins
Explorer
‎06-08-2022 10:59 AM

I think this would work; however, after reading through some of the eventtype documentation, search macros were suggested if I was looking to shorten a search. So I was able to create what I needed using search macros, but I believe your suggestion would also work 🙂

Thank you!

0 Karma
Reply
Solved! Jump to solution

jamie00171
Communicator
‎06-08-2022 10:18 AM

Could you use*

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...