Splunk Search

How to concatenate a string with a variable?

buttsurfer
Path Finder

 

I want to run this search but i have to concatenate the string with a variable and it doesn't work 

 

    | rest splunk_server=local /servicesNS/-/-/saved/searches 
    | where match(search,"outputlookup\s.$lookup$") 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I showed you how to do that this morning.

https://community.splunk.com/t5/Splunk-Search/How-to-append-the-result-of-a-search-to-values-of-a-mu...

---
If this reply helps you, Karma would be appreciated.
0 Karma

buttsurfer
Path Finder

The $lookup$ variable is a token from the dashboard drilldown 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Based on the comments in your original post - (try not to create multiple posts with different info, it makes it hard for people to help) - I understand you have a token that has multiple values.

If that $lookup$ token is created through a <set token="lookup"> statement in the drilldown and the original field is MV, then the token will concatenate those values and look like 

a,b,c,d

so to do the match you would have to to something like (untested)

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| eval lookups="(".replace($lookup$, ",", "\|").")"
| where match(search,"outputlookup\s".lookups) 

which effectively is turning a,b,c,d into (a|b|c|d) and then the match will be doing 

| where match(search,"outputlookup\s(a|b|c|d)") 
0 Karma

buttsurfer
Path Finder

This doesn't seem to work and the field is not a MV 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Pro tip (to get help from volunteers): Describe/illustrate your data (anonymize as needed but explain any characteristics others need to know) and desired output; describe the logic connecting your data and desired results (short, simple sample code/pseudo code is fine); if you have tried sample code, illustrate output and explain why it differs from desired results.

From the OP to this, there is only one piece of sample code and an explanation that the token in the sample is not itself multivalued.  Unless you provide the rest of information, "it doesn't work" conveys absolutely no information.  In fact, avoid this phrase like a plague even at the best of times.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...