Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Manipulate Token Value and use in search

ekammer1
Engager
‎11-06-2020 06:32 AM

Hopefully, I can explain this to where it makes sense. I have a forum where I use a TEXT input to generate a token to search for one jobname in the data. This works perfectly for one jobname. I would like to be able to enter one or many different values. Normally I would use a multi-select, but there are over 65,000 possible jobnames. My JobName text input will generate token "tok_Job_Name", then in the search I have

| search Job_Name="$tok_Job_Name$"

I like to be able to enter one job for example JOBAA, or many JOBAA,JOBBB,JOBCC, etc and have the search return all jobs with the given jobnames. Is there a way to manipulate the token value within the search or create a new token after some regex? My thought was, I could use a simple regex command like

| rex field=$tok_Job_Name$ mode=sed "s/,/*","*/g", then the token would be formatted correctly to us a search IN. Hopefully, this makes sense and someone may be able to offer an idea. Thank you in advance for any and all help is given!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 07:45 AM

Have you tried this?

| search Job_Name IN ($tok_Job_Name$)

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 07:45 AM

Have you tried this?

| search Job_Name IN ($tok_Job_Name$)

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ekammer1
Engager
‎11-06-2020 07:53 AM

This works if the user puts the full job name for each item ie.. JOBAA,JOBB. I would also like to wild card, so I could search for JOBA,JOBBB and get back all jobs that have JOBA in them
Results

JOBAA

JOBAC

JOBAX

JOBBB

I could just instruct the user to add * when not using the full job name. Unless there is a way to manipulate the token adding this dynamically. 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...