Solved: Limiting lookup options using a token

ft_kd02 · ‎08-09-2021

Hi all,

I have a lookup and I'd like to filter based on tokenized value. The lookup dropdown also sets a different token based on selection. This would normally be a simple task, but I've been asked to have the lookup pre-filtered based on who is using the app. Each item in the dropdown represents a different user.

The lookup:

| inputlookup $tokLookup$
| fields field_description, field
| dedup field,field_description

field for label = field_description
field for value = field

The pseudo code of what I'd like to do is simple:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Is this possible within the constraints, such that I'm only producing the single value from the lookup corresponding to the user?

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

View solution in original post

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Limiting lookup options using a token

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation