Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Manipulate Token Value and use in search

ekammer1
Engager
‎11-06-2020 06:32 AM

Hopefully, I can explain this to where it makes sense. I have a forum where I use a TEXT input to generate a token to search for one jobname in the data. This works perfectly for one jobname. I would like to be able to enter one or many different values. Normally I would use a multi-select, but there are over 65,000 possible jobnames. My JobName text input will generate token "tok_Job_Name", then in the search I have

| search Job_Name="$tok_Job_Name$"

I like to be able to enter one job for example JOBAA, or many JOBAA,JOBBB,JOBCC, etc and have the search return all jobs with the given jobnames. Is there a way to manipulate the token value within the search or create a new token after some regex? My thought was, I could use a simple regex command like

| rex field=$tok_Job_Name$ mode=sed "s/,/*","*/g", then the token would be formatted correctly to us a search IN. Hopefully, this makes sense and someone may be able to offer an idea. Thank you in advance for any and all help is given!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 07:45 AM

Have you tried this?

| search Job_Name IN ($tok_Job_Name$)

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 07:45 AM

Have you tried this?

| search Job_Name IN ($tok_Job_Name$)

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ekammer1
Engager
‎11-06-2020 07:53 AM

This works if the user puts the full job name for each item ie.. JOBAA,JOBB. I would also like to wild card, so I could search for JOBA,JOBBB and get back all jobs that have JOBA in them
Results

JOBAA

JOBAC

JOBAX

JOBBB

I could just instruct the user to add * when not using the full job name. Unless there is a way to manipulate the token adding this dynamically. 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...