Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tokens from search in a lookup

Csparks321
New Member
‎09-18-2019 08:51 AM

So this might be overly complicated for what I'm trying to accomplish but perhaps you all might be able to assist me. Currently I am attempting to populate a dashboard panel with different searches based on a drop-down. The drop-down is using the Dynamic Options and searching from a lookup file(.csv) with the following field names:

search_name | search

In each of the rows in the search column, a specific query is displayed. The dropdown uses the search_name column as the value and creates a token named search_name_tk.

On the dashboard, I am running a inputlookup and filtering on the search_name.

 |inputlookup search_lookup.csv |search search_name="$search_name_tk$" 
|stats values(search) AS "search" by search_name

From there I set a token based on the results of the inputlookup search.

 <condition match=" 'job.resultCount' != 0">
        <set token="search_tk">$result.search$</set>
</condition>

Here is the full search

<search>
    <query>
    |inputlookup search_lookup.csv |where search_name="$search_name_tk$" |stats values(search) AS "search" by search_name
    </query>
    <finalized>
      <condition match=" 'job.resultCount' != 0">
        <set token="search_tk">$result.search$</set>
      </condition>
      <condition>
        <set token="search_tk">No result found</set>
       </condition>
    </finalized>
  </search>

Using this I then place the $search_tk$ in the panel search. This seems to work and populates the searches from the lookup correctly, however, I am running into another issue where if there is token usage within the search in the lookup it does not seem to run properly. For example, if there is another drop-down for Computer Name on the dashboard which has computer_name_tk as the token. If said token is referenced in the search in the lookup it does not populate.

I have a feeling there is a better way to get the result I am looking for. Dynamically populating multiple searches based on a drop-down but this is the best I have been able to come up with given my limited knowledge and the answers I have been able to find here. Any assistance you all can provide would be greatly appreciated!

0 Karma
Reply

Anantha123
Communicator
‎09-18-2019 10:09 AM

Try unset token also in condition.

0 Karma
Reply

Csparks321
New Member
‎09-19-2019 08:49 AM

Setting the unset token in the panel search?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...