Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tokens from search in a lookup

Csparks321
New Member
‎09-18-2019 08:51 AM

So this might be overly complicated for what I'm trying to accomplish but perhaps you all might be able to assist me. Currently I am attempting to populate a dashboard panel with different searches based on a drop-down. The drop-down is using the Dynamic Options and searching from a lookup file(.csv) with the following field names:

search_name | search

In each of the rows in the search column, a specific query is displayed. The dropdown uses the search_name column as the value and creates a token named search_name_tk.

On the dashboard, I am running a inputlookup and filtering on the search_name.

 |inputlookup search_lookup.csv |search search_name="$search_name_tk$" 
|stats values(search) AS "search" by search_name

From there I set a token based on the results of the inputlookup search.

 <condition match=" 'job.resultCount' != 0">
        <set token="search_tk">$result.search$</set>
</condition>

Here is the full search

<search>
    <query>
    |inputlookup search_lookup.csv |where search_name="$search_name_tk$" |stats values(search) AS "search" by search_name
    </query>
    <finalized>
      <condition match=" 'job.resultCount' != 0">
        <set token="search_tk">$result.search$</set>
      </condition>
      <condition>
        <set token="search_tk">No result found</set>
       </condition>
    </finalized>
  </search>

Using this I then place the $search_tk$ in the panel search. This seems to work and populates the searches from the lookup correctly, however, I am running into another issue where if there is token usage within the search in the lookup it does not seem to run properly. For example, if there is another drop-down for Computer Name on the dashboard which has computer_name_tk as the token. If said token is referenced in the search in the lookup it does not populate.

I have a feeling there is a better way to get the result I am looking for. Dynamically populating multiple searches based on a drop-down but this is the best I have been able to come up with given my limited knowledge and the answers I have been able to find here. Any assistance you all can provide would be greatly appreciated!

0 Karma
Reply

Anantha123
Communicator
‎09-18-2019 10:09 AM

Try unset token also in condition.

0 Karma
Reply

Csparks321
New Member
‎09-19-2019 08:49 AM

Setting the unset token in the panel search?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...