Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to use a token variable in a search...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jravida
Communicator
09-03-2014
12:29 PM
Hey folks,
I had an idea, but am not sure if it can be done in Splunk. I want have a dashboard where you can enter text (such as an IP) into a search, and pass that token to a lookup table (of, say, CIDR blocks my company uses, and the name/label we've named the CIDR block, like N Main, Huntington, etc ) and it would output that name of section of the network the IP originates.
Where I think it will fail is that there is no index I am searching on. I just want it to bounce the IP off of the CIDR blocks we have in the lookup table, and output the name. Thanks in advance for your help.
Edit: I should mention that I have CIDR block lookup working for normal searches.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-03-2014
02:22 PM
It should work fine. The simple XML might look like this:
<form>
<label>Sample search</label>
<searchTemplate>index = main | head 1 | eval IP="$IP_input$"
| lookup yourLookupName lookupFieldName as IP OUTPUT outputFieldName
</searchTemplate>
<fieldset>
<input type="text" token="IP_input" />
</fieldset>
<row>
<table>
<title>Results</title>
<option name="count">10</option>
</table>
</row>
</form>
You can actually start a searchTemplate with a | lookup ... but that won't work here, because you need to get the user's input into a variable. So I included a "dummy search" that just looks at the main index and pulls the first event it finds - and then ignores it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-03-2014
02:22 PM
It should work fine. The simple XML might look like this:
<form>
<label>Sample search</label>
<searchTemplate>index = main | head 1 | eval IP="$IP_input$"
| lookup yourLookupName lookupFieldName as IP OUTPUT outputFieldName
</searchTemplate>
<fieldset>
<input type="text" token="IP_input" />
</fieldset>
<row>
<table>
<title>Results</title>
<option name="count">10</option>
</table>
</row>
</form>
You can actually start a searchTemplate with a | lookup ... but that won't work here, because you need to get the user's input into a variable. So I included a "dummy search" that just looks at the main index and pulls the first event it finds - and then ignores it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jravida
Communicator
09-03-2014
03:03 PM
Awesome! Great workaround. I was sooooo close!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
