Splunk Search

Passing tokens dynamically to search query

k_harini
Communicator

I have a drop down which I populate with the query and editing field values
index="myindex"|stats values(Category) as categories|rex field=categories mode=sed "s/Change Request/CR/" |rex field=categories mode=sed "s/Central Functions/CF/"| mvexpand categories|eval label= categories |eval value = categories

Now since I had changed drop down values how will i pass the original field value as token to my search query where it will work
index="myindex" Category=$categories$| chart count over sourcetype by "Priority" | addtotals fieldname=Total| foreach * [eval Req_Percent = count *100 / Total] | fields - Total

This is not working.. I want to pass the category i select from drop down and change it to field value and pass to query.. How can i accomplish that.. Please help

Tags (1)
0 Karma

sundareshr
Legend

Try this

index="myindex" | rex field=categories mode=sed "s/Change Request/CR/" | rex field=categories mode=sed "s/Central Functions/CF/"| mvexpand categories |  search Category="$categories$" | chart count over sourcetype by "Priority" | addtotals fieldname=Total| foreach * [eval Req_Percent = count *100 / Total] | fields - Total
0 Karma

gcusello
SplunkTrust
SplunkTrust

if you open the search dashboard from your panel, what you find instead of $categories$?
Bye.
Giuseppe

0 Karma

k_harini
Communicator

I get no results found.. When i give query with full field values, its displaying correctly

0 Karma

gcusello
SplunkTrust
SplunkTrust

Open your search in the search dashboard, you should have something like this:

index="myindex" Category=$categories$|...

or

index="myindex" Category=Category=$categories$| ...

or something else, in other words: what you have after Category=?.

Every way make another try, if some values of category are strings with spaces:
index="myindex" Category="$categories$"| ...
put double quotes around token.

Bye.
Giuseppe

0 Karma

k_harini
Communicator

I added double quotes. Reason its not displaying is.. I have used rex in dropdown query and modified the values in drop down (reduced field values length).. when i pass those values to search, they are not there in my log and not getting displayed. Problem here is I'm not able to add rex as calculated field in props file.. Any idea on how to add this as calculated field? Thanks!

0 Karma

nagarjuna560
New Member

Harini,
did you find a solution to this issue?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...