Solved: Limiting lookup options using a token

ft_kd02 · ‎08-09-2021

Hi all,

I have a lookup and I'd like to filter based on tokenized value. The lookup dropdown also sets a different token based on selection. This would normally be a simple task, but I've been asked to have the lookup pre-filtered based on who is using the app. Each item in the dropdown represents a different user.

The lookup:

| inputlookup $tokLookup$
| fields field_description, field
| dedup field,field_description

field for label = field_description
field for value = field

The pseudo code of what I'd like to do is simple:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Is this possible within the constraints, such that I'm only producing the single value from the lookup corresponding to the user?

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

View solution in original post

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Limiting lookup options using a token

lookup

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms