Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append domain to hostname at search time?

rwheeloc
Explorer
2 weeks ago

I've done a bit of searching and haven't quite found a solution to what I'm trying to accomplish (or I haven't understood the previous solutions).

But essentially I'm trying to write an SPL query (for use in a dashboard) that will append a string (domain) to a list of values (hosts) passed by a token prior to processing the search.

For example, if the value passed by token $DeviceNames$ is "host1,host2,host3", the goal would be to return results as if the query was equivalent to:

hostname IN (host1.domain.com,host2.domain.com,host3.domain.com)

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Champion
2 weeks ago

Okay @rwheeloc I think I might have something which will work for you. Its currently based on hosts in _internal but you will hopefully work out whats going on...

livehybrid_0-1743111376904.png

 

There is a table off-screen with a search which generates the list of hosts with the domain added:

livehybrid_1-1743111427510.png

 

You can then use this in your search as 

| search host IN ($calcTokens:result.fqdn$)

Below is the full Dashboard Studio definition for you to have a play around with, hopefully this can be adapted for what you need. You can make that calcTokens search do anything such as a lookup of case statement to determine the index etc of a particular value.

Full dashboard definition:

{
    "title": "Test",
    "description": "",
    "inputs": {
        "input_xErPd246": {
            "dataSources": {
                "primary": "ds_BVphVPJh"
            },
            "options": {
                "defaultValue": [],
                "items": [
                    {
                        "label": "All",
                        "value": "*"
                    }
                ],
                "token": "host_dropdown"
            },
            "title": "Host",
            "type": "input.multiselect"
        }
    },
    "defaults": {
        "dataSources": {}
    },
    "visualizations": {
        "viz_54DWfjK8": {
            "dataSources": {
                "primary": "ds_UgFKNfjH"
            },
            "title": "This is hidden",
            "type": "splunk.table"
        },
        "viz_RfxFwzef": {
            "dataSources": {
                "primary": "ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by host",
            "type": "splunk.table"
        },
        "viz_fvzrSMeV": {
            "dataSources": {
                "primary": "ds_K2pCXGuI_ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by fqdn",
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_BVphVPJh": {
            "name": "Search_2",
            "options": {
                "query": "| tstats count where index=_internal by host",
                "queryParameters": {
                    "earliest": "-4h@m",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_K2pCXGuI_ds_Ldb8veEn": {
            "name": "Search_1 copy 1",
            "options": {
                "query": "| tstats count where index=_internal by host\n| eval host=host.\".mydomain.com\"\n| search host IN ($calcTokens:result.fqdn$)\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_Ldb8veEn": {
            "name": "Search_1",
            "options": {
                "query": "| tstats count where index=_internal host IN ($host_dropdown$) by host",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_UgFKNfjH": {
            "name": "calcTokens",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval host=split(\"$host_dropdown$\",\",\")\n| foreach host mode=multivalue \n    [| eval fqdn=mvappend(fqdn,<<ITEM>>.\".mydomain.com\")]\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_xErPd246"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto-scale"
                },
                "structure": [
                    {
                        "item": "viz_RfxFwzef",
                        "position": {
                            "h": 210,
                            "w": 340,
                            "x": 270,
                            "y": 50
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_54DWfjK8",
                        "position": {
                            "h": 300,
                            "w": 520,
                            "x": 1220,
                            "y": 30
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_fvzrSMeV",
                        "position": {
                            "h": 210,
                            "w": 540,
                            "x": 620,
                            "y": 50
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

rwheeloc
Explorer
2 weeks ago

Thanks! This is using Dashboard Studio.

The input is currently via a multiselect dropdown.

Ultimately the goal of this dashboard is for the user to be able to select one or more values from the dropdown, and be presented with corresponding results from queries to two separate indices. The challenge is that one index has hostnames stored as fqdn, and the other the host by itself.

 

I've also wondered if it might be a better approach for the drop-down values to include the domain, and then somehow strip it back out in the query against the index that doesn't need it?

 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Champion
2 weeks ago

Okay @rwheeloc I think I might have something which will work for you. Its currently based on hosts in _internal but you will hopefully work out whats going on...

livehybrid_0-1743111376904.png

 

There is a table off-screen with a search which generates the list of hosts with the domain added:

livehybrid_1-1743111427510.png

 

You can then use this in your search as 

| search host IN ($calcTokens:result.fqdn$)

Below is the full Dashboard Studio definition for you to have a play around with, hopefully this can be adapted for what you need. You can make that calcTokens search do anything such as a lookup of case statement to determine the index etc of a particular value.

Full dashboard definition:

{
    "title": "Test",
    "description": "",
    "inputs": {
        "input_xErPd246": {
            "dataSources": {
                "primary": "ds_BVphVPJh"
            },
            "options": {
                "defaultValue": [],
                "items": [
                    {
                        "label": "All",
                        "value": "*"
                    }
                ],
                "token": "host_dropdown"
            },
            "title": "Host",
            "type": "input.multiselect"
        }
    },
    "defaults": {
        "dataSources": {}
    },
    "visualizations": {
        "viz_54DWfjK8": {
            "dataSources": {
                "primary": "ds_UgFKNfjH"
            },
            "title": "This is hidden",
            "type": "splunk.table"
        },
        "viz_RfxFwzef": {
            "dataSources": {
                "primary": "ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by host",
            "type": "splunk.table"
        },
        "viz_fvzrSMeV": {
            "dataSources": {
                "primary": "ds_K2pCXGuI_ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by fqdn",
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_BVphVPJh": {
            "name": "Search_2",
            "options": {
                "query": "| tstats count where index=_internal by host",
                "queryParameters": {
                    "earliest": "-4h@m",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_K2pCXGuI_ds_Ldb8veEn": {
            "name": "Search_1 copy 1",
            "options": {
                "query": "| tstats count where index=_internal by host\n| eval host=host.\".mydomain.com\"\n| search host IN ($calcTokens:result.fqdn$)\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_Ldb8veEn": {
            "name": "Search_1",
            "options": {
                "query": "| tstats count where index=_internal host IN ($host_dropdown$) by host",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_UgFKNfjH": {
            "name": "calcTokens",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval host=split(\"$host_dropdown$\",\",\")\n| foreach host mode=multivalue \n    [| eval fqdn=mvappend(fqdn,<<ITEM>>.\".mydomain.com\")]\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_xErPd246"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto-scale"
                },
                "structure": [
                    {
                        "item": "viz_RfxFwzef",
                        "position": {
                            "h": 210,
                            "w": 340,
                            "x": 270,
                            "y": 50
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_54DWfjK8",
                        "position": {
                            "h": 300,
                            "w": 520,
                            "x": 1220,
                            "y": 30
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_fvzrSMeV",
                        "position": {
                            "h": 210,
                            "w": 540,
                            "x": 620,
                            "y": 50
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

rwheeloc
Explorer
2 weeks ago

Thank you very much! I think I've got it working as intended now!

0 Karma
Reply
Solved! Jump to solution

livehybrid
Champion
2 weeks ago

Hi @rwheeloc 

Are you using Classic Dashboards or Dashboard Studio dashboards?

In classic you should be able to add the rest of the domain to the "Token Value Suffix" section of the input.

In Dashboard Studio you'd probably need to create another search in a table which is off to the outside of the visible frame, pass the token in and use makeresults to turn it into the string you need, then use the result from that search as the token in your other searches.

The other way might be to change it at the point its rendered in the input - are you using a search to generate the token options?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top