Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reuse token across different indexes/ searches

Ste
Path Finder
‎07-30-2024 03:14 AM

Hi

Based on a Multiselect  reading from

 

index="pm-azlm_internal_prod_events" sourcetype="azlm"

 

I define a token with the name

 

opc_t

 

 

This token can be used without any problems to filter further down in the dashboard data read from the same index (top 3 lines in the code below). 

 

<query>index="pm-azlm_internal_prod_events" sourcetype="azlm" $opc_t$ $framenum$
    | strcat opc "_" frame_num UNIQUE_ID
    | dedup _time UNIQUE_ID
    
    | append 
        [ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$
        | strcat ocp "-j_" fr as UNIQUE_ID
        | dedup UNIQUE_ID]

     | timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID
     | sort by _time DESC
 </query>

 

BUT and here's my problem: using the same token on a different index (used in the append above) will provide no results at all. 

One (nasty) detail, the field names in both Indexes are slightly different. In 

 

index="pm-azlm_internal_prod_events"

 

the field name I need to filter on ist called 

 

opc

 

 

In the second index

 

pm-azlm_internal_dev_events

 

the field name is

 

ocp

 

 

Dear Experts: what do I need to change on the 2nd query, to be able to use the same token for filtering?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-31-2024 03:08 PM

As @marnall says, you are using the token differently in each part of the search. How have you defined the multiselect prefix/suffix settings.

You are using the syntax $opc_t|s$ correctly which will cause it to be quoted, so you don't need to surround that with extra quotes as in the other example. However, as you are able to define the token prefix/suffix and value prefix/suffix you generally just need to  use $opc_t$.

Let's assume your multiselect has this type of definition

        <prefix> IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>

so the token prefix is IN ( and then each value will be quoted valuesPrefix/Suffix and delimited with a comma and then the final token will be terminated with )  so your token would look like

IN ("a","b","c","d")

so you would then use it like this

... opc=$opc_t$ ...

OR 

... ocp=$opc_t$ ...

because you have not included the field name in the token value itself. 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-31-2024 03:08 PM

As @marnall says, you are using the token differently in each part of the search. How have you defined the multiselect prefix/suffix settings.

You are using the syntax $opc_t|s$ correctly which will cause it to be quoted, so you don't need to surround that with extra quotes as in the other example. However, as you are able to define the token prefix/suffix and value prefix/suffix you generally just need to  use $opc_t$.

Let's assume your multiselect has this type of definition

        <prefix> IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>

so the token prefix is IN ( and then each value will be quoted valuesPrefix/Suffix and delimited with a comma and then the final token will be terminated with )  so your token would look like

IN ("a","b","c","d")

so you would then use it like this

... opc=$opc_t$ ...

OR 

... ocp=$opc_t$ ...

because you have not included the field name in the token value itself. 

Reply
Solved! Jump to solution

Ste
Path Finder
‎08-01-2024 11:38 PM

The problem was definitely in the multisearch.

My original one was: 

<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>opc="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>OR</delimiter>

 

Based on the feedback of @bowesmana and @marnall I changed it to:

<prefix>IN (</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>

 

And further down the search: 

index="pm-azlm_internal_prod_events" sourcetype="azlm" opc $opc_t$ 
... 
| append 
    [search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp $opc_t$
...

 

All is now working as expected, thank you for your support.

0 Karma
Reply
Solved! Jump to solution

marnall
Motivator
‎07-31-2024 01:18 PM

It seems that you are using the opc_t token as a keyword search in the first line, and then as a field filter in the appended search. Does it work when you use opc=$opc_t|s$ as the filter in your first line?

 

 

<query>index="pm-azlm_internal_prod_events" sourcetype="azlm" opc=$opc_t|s$ $framenum$
| strcat opc "_" frame_num UNIQUE_ID
| dedup _time UNIQUE_ID
| append
[ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$
| strcat ocp "-j_" fr as UNIQUE_ID
| dedup UNIQUE_ID]
| timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID
| sort by _time DESC
</query>

 

 

A good way to debug this is to click the magnifying glass in the lower-right part of the panel to launch the search with the current value of the opc_t token. It may result in a bad filter which removes all your search results, which can then be adjusted so it does not remove all results.

(note: put the token between double-quotes if it can contain a space character)  (As bowesmana said, this is not necessary)

Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...