Solved: Re: Limiting lookup options using a token

ft_kd02 · ‎08-09-2021

Hi all,

I have a lookup and I'd like to filter based on tokenized value. The lookup dropdown also sets a different token based on selection. This would normally be a simple task, but I've been asked to have the lookup pre-filtered based on who is using the app. Each item in the dropdown represents a different user.

The lookup:

| inputlookup $tokLookup$
| fields field_description, field
| dedup field,field_description

field for label = field_description
field for value = field

The pseudo code of what I'd like to do is simple:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Is this possible within the constraints, such that I'm only producing the single value from the lookup corresponding to the user?

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

View solution in original post

ft_kd02 · ‎08-09-2021

Turned out to be a issue in how the data was handled before it hit the token and when the token was populated. The above solution should work:

| inputlookup $tokLookup$
| where field="$tokUserRole$"
| fields field_description, field
| dedup field,field_description

Limiting lookup options using a token

lookup

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Join the Conversation

Limiting lookup options using a token

lookup

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live