Splunk Search

Decide between two queries?

New Member

I need to decide which token to use in a dashboard query (one or the other would be used for my "host" filed in the results) based on the value of one of the tokens. if I don't select a value for $t_pod$ I want the query to use $t_host$ but if I select a value for $t_pod$ I want to use that in the query.

index=MYINDEX subid=$t_submissionID$ msg=$t_messageType$ host=$t_host$

index=MYINDEX subid=$t_submissionID$ msg=$t_messageType$ host=%t_pod$

How can I decide which to use based on $t_pod$?

0 Karma


If you have text fields for both t_host and t_pod in your dashboard, this might help. It just shows the substitution.

  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="t_pod">
        <set token="t_pod">$value$</set>
    <input type="text" token="t_host">
        <set token="t_host">$value$</set>
          <query>| makeresults
| eval hostToken=if("$t_host$"=="","$t_pod$","$t_host$")</query>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>

In your example, you can then do something like this:

index=MYINDEX subid=$t_submissionID$ msg=$t_messageType$
| eval hostToken=if("$t_host$"=="","$t_pod$","$t_host$")
| where host=hostToken
0 Karma

Path Finder

What is the placeholder value if there's no selection for one of those token? Is it a wildcard?

0 Karma