Parameters for search

klausJohan · ‎11-06-2013

Hi,

What would be the available options in order to parameterize a search in a Splunk view ?

Let's say that all events that I'm indexing into Splunk contain a field , and that field can have values from a limited set of values. How would I make it possible for the user to specify that he is interested in events with fields having a particular value.

Thanks

somesoni2 · ‎11-06-2013

In the splunk views, you can use any of the Splunk controls like Dropdown (if user has to select from pre-defined values) or textbox which will allow user to specify the filter criteria. After that you can change your search to take values from the control.

If you have a dropdown with name field1 [which provides value for say FIELD1] then your search wil become

index=yourindex sourcetype=yoursourcetype.... FIELD1=$field1$...

You can add many control and use them in your search.

klausJohan · ‎11-07-2013

Dropdown would be perfect for me, if I could dinamically define the available options when the page loads.

lukejadamec · ‎11-06-2013

If you are searching for a single value, the simply search for it:

field="value"

If you are searching for more then one value, the use the OR operator (must be in caps)

field="value" OR field="value"

Parameters for search

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Parameters for search

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!