Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append domain to hostname at search time?

rwheeloc
Explorer
‎03-27-2025 11:35 AM

I've done a bit of searching and haven't quite found a solution to what I'm trying to accomplish (or I haven't understood the previous solutions).

But essentially I'm trying to write an SPL query (for use in a dashboard) that will append a string (domain) to a list of values (hosts) passed by a token prior to processing the search.

For example, if the value passed by token $DeviceNames$ is "host1,host2,host3", the goal would be to return results as if the query was equivalent to:

hostname IN (host1.domain.com,host2.domain.com,host3.domain.com)

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎03-27-2025 02:38 PM

Okay @rwheeloc I think I might have something which will work for you. Its currently based on hosts in _internal but you will hopefully work out whats going on...

livehybrid_0-1743111376904.png

 

There is a table off-screen with a search which generates the list of hosts with the domain added:

livehybrid_1-1743111427510.png

 

You can then use this in your search as 

| search host IN ($calcTokens:result.fqdn$)

Below is the full Dashboard Studio definition for you to have a play around with, hopefully this can be adapted for what you need. You can make that calcTokens search do anything such as a lookup of case statement to determine the index etc of a particular value.

Full dashboard definition:

{
    "title": "Test",
    "description": "",
    "inputs": {
        "input_xErPd246": {
            "dataSources": {
                "primary": "ds_BVphVPJh"
            },
            "options": {
                "defaultValue": [],
                "items": [
                    {
                        "label": "All",
                        "value": "*"
                    }
                ],
                "token": "host_dropdown"
            },
            "title": "Host",
            "type": "input.multiselect"
        }
    },
    "defaults": {
        "dataSources": {}
    },
    "visualizations": {
        "viz_54DWfjK8": {
            "dataSources": {
                "primary": "ds_UgFKNfjH"
            },
            "title": "This is hidden",
            "type": "splunk.table"
        },
        "viz_RfxFwzef": {
            "dataSources": {
                "primary": "ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by host",
            "type": "splunk.table"
        },
        "viz_fvzrSMeV": {
            "dataSources": {
                "primary": "ds_K2pCXGuI_ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by fqdn",
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_BVphVPJh": {
            "name": "Search_2",
            "options": {
                "query": "| tstats count where index=_internal by host",
                "queryParameters": {
                    "earliest": "-4h@m",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_K2pCXGuI_ds_Ldb8veEn": {
            "name": "Search_1 copy 1",
            "options": {
                "query": "| tstats count where index=_internal by host\n| eval host=host.\".mydomain.com\"\n| search host IN ($calcTokens:result.fqdn$)\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_Ldb8veEn": {
            "name": "Search_1",
            "options": {
                "query": "| tstats count where index=_internal host IN ($host_dropdown$) by host",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_UgFKNfjH": {
            "name": "calcTokens",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval host=split(\"$host_dropdown$\",\",\")\n| foreach host mode=multivalue \n    [| eval fqdn=mvappend(fqdn,<<ITEM>>.\".mydomain.com\")]\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_xErPd246"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto-scale"
                },
                "structure": [
                    {
                        "item": "viz_RfxFwzef",
                        "position": {
                            "h": 210,
                            "w": 340,
                            "x": 270,
                            "y": 50
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_54DWfjK8",
                        "position": {
                            "h": 300,
                            "w": 520,
                            "x": 1220,
                            "y": 30
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_fvzrSMeV",
                        "position": {
                            "h": 210,
                            "w": 540,
                            "x": 620,
                            "y": 50
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

rwheeloc
Explorer
‎03-27-2025 12:36 PM

Thanks! This is using Dashboard Studio.

The input is currently via a multiselect dropdown.

Ultimately the goal of this dashboard is for the user to be able to select one or more values from the dropdown, and be presented with corresponding results from queries to two separate indices. The challenge is that one index has hostnames stored as fqdn, and the other the host by itself.

 

I've also wondered if it might be a better approach for the drop-down values to include the domain, and then somehow strip it back out in the query against the index that doesn't need it?

 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎03-27-2025 02:38 PM

Okay @rwheeloc I think I might have something which will work for you. Its currently based on hosts in _internal but you will hopefully work out whats going on...

livehybrid_0-1743111376904.png

 

There is a table off-screen with a search which generates the list of hosts with the domain added:

livehybrid_1-1743111427510.png

 

You can then use this in your search as 

| search host IN ($calcTokens:result.fqdn$)

Below is the full Dashboard Studio definition for you to have a play around with, hopefully this can be adapted for what you need. You can make that calcTokens search do anything such as a lookup of case statement to determine the index etc of a particular value.

Full dashboard definition:

{
    "title": "Test",
    "description": "",
    "inputs": {
        "input_xErPd246": {
            "dataSources": {
                "primary": "ds_BVphVPJh"
            },
            "options": {
                "defaultValue": [],
                "items": [
                    {
                        "label": "All",
                        "value": "*"
                    }
                ],
                "token": "host_dropdown"
            },
            "title": "Host",
            "type": "input.multiselect"
        }
    },
    "defaults": {
        "dataSources": {}
    },
    "visualizations": {
        "viz_54DWfjK8": {
            "dataSources": {
                "primary": "ds_UgFKNfjH"
            },
            "title": "This is hidden",
            "type": "splunk.table"
        },
        "viz_RfxFwzef": {
            "dataSources": {
                "primary": "ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by host",
            "type": "splunk.table"
        },
        "viz_fvzrSMeV": {
            "dataSources": {
                "primary": "ds_K2pCXGuI_ds_Ldb8veEn"
            },
            "eventHandlers": [
                {
                    "options": {
                        "tokens": [
                            {
                                "key": "row.n.value",
                                "token": "value"
                            }
                        ]
                    },
                    "type": "drilldown.setToken"
                },
                {
                    "options": {
                        "newTab": true,
                        "url": "https://google.com?value=$value$"
                    },
                    "type": "drilldown.customUrl"
                }
            ],
            "title": "_internal by fqdn",
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_BVphVPJh": {
            "name": "Search_2",
            "options": {
                "query": "| tstats count where index=_internal by host",
                "queryParameters": {
                    "earliest": "-4h@m",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_K2pCXGuI_ds_Ldb8veEn": {
            "name": "Search_1 copy 1",
            "options": {
                "query": "| tstats count where index=_internal by host\n| eval host=host.\".mydomain.com\"\n| search host IN ($calcTokens:result.fqdn$)\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_Ldb8veEn": {
            "name": "Search_1",
            "options": {
                "query": "| tstats count where index=_internal host IN ($host_dropdown$) by host",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        },
        "ds_UgFKNfjH": {
            "name": "calcTokens",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval host=split(\"$host_dropdown$\",\",\")\n| foreach host mode=multivalue \n    [| eval fqdn=mvappend(fqdn,<<ITEM>>.\".mydomain.com\")]\n",
                "queryParameters": {
                    "earliest": "-24h@h",
                    "latest": "now"
                }
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_xErPd246"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto-scale"
                },
                "structure": [
                    {
                        "item": "viz_RfxFwzef",
                        "position": {
                            "h": 210,
                            "w": 340,
                            "x": 270,
                            "y": 50
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_54DWfjK8",
                        "position": {
                            "h": 300,
                            "w": 520,
                            "x": 1220,
                            "y": 30
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_fvzrSMeV",
                        "position": {
                            "h": 210,
                            "w": 540,
                            "x": 620,
                            "y": 50
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

rwheeloc
Explorer
‎03-28-2025 09:53 AM

Thank you very much! I think I've got it working as intended now!

0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎03-27-2025 12:18 PM

Hi @rwheeloc 

Are you using Classic Dashboards or Dashboard Studio dashboards?

In classic you should be able to add the rest of the domain to the "Token Value Suffix" section of the input.

In Dashboard Studio you'd probably need to create another search in a table which is off to the outside of the visible frame, pass the token in and use makeresults to turn it into the string you need, then use the result from that search as the token in your other searches.

The other way might be to change it at the point its rendered in the input - are you using a search to generate the token options?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top