Splunk Search

Reuse token across different indexes/ searches

Ste
Path Finder

Hi

Based on a Multiselect  reading from

 

index="pm-azlm_internal_prod_events" sourcetype="azlm"

 

I define a token with the name

 

opc_t

 

 

This token can be used without any problems to filter further down in the dashboard data read from the same index (top 3 lines in the code below). 

 

<query>index="pm-azlm_internal_prod_events" sourcetype="azlm" $opc_t$ $framenum$
    | strcat opc "_" frame_num UNIQUE_ID
    | dedup _time UNIQUE_ID
    
    | append 
        [ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$
        | strcat ocp "-j_" fr as UNIQUE_ID
        | dedup UNIQUE_ID]

     | timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID
     | sort by _time DESC
 </query>

 

BUT and here's my problem: using the same token on a different index (used in the append above) will provide no results at all. 

One (nasty) detail, the field names in both Indexes are slightly different. In 

 

index="pm-azlm_internal_prod_events"

 

the field name I need to filter on ist called 

 

opc

 

 

In the second index

 

pm-azlm_internal_dev_events

 

the field name is

 

ocp

 

 

Dear Experts: what do I need to change on the 2nd query, to be able to use the same token for filtering?

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

As @marnall says, you are using the token differently in each part of the search. How have you defined the multiselect prefix/suffix settings.

You are using the syntax $opc_t|s$ correctly which will cause it to be quoted, so you don't need to surround that with extra quotes as in the other example. However, as you are able to define the token prefix/suffix and value prefix/suffix you generally just need to  use $opc_t$.

Let's assume your multiselect has this type of definition

        <prefix> IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>

so the token prefix is IN ( and then each value will be quoted valuesPrefix/Suffix and delimited with a comma and then the final token will be terminated with )  so your token would look like

IN ("a","b","c","d")

so you would then use it like this

... opc=$opc_t$ ...

OR 

... ocp=$opc_t$ ...

because you have not included the field name in the token value itself. 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

As @marnall says, you are using the token differently in each part of the search. How have you defined the multiselect prefix/suffix settings.

You are using the syntax $opc_t|s$ correctly which will cause it to be quoted, so you don't need to surround that with extra quotes as in the other example. However, as you are able to define the token prefix/suffix and value prefix/suffix you generally just need to  use $opc_t$.

Let's assume your multiselect has this type of definition

        <prefix> IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>

so the token prefix is IN ( and then each value will be quoted valuesPrefix/Suffix and delimited with a comma and then the final token will be terminated with )  so your token would look like

IN ("a","b","c","d")

so you would then use it like this

... opc=$opc_t$ ...

OR 

... ocp=$opc_t$ ...

because you have not included the field name in the token value itself. 

Ste
Path Finder

The problem was definitely in the multisearch.

My original one was: 

<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>opc="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>OR</delimiter>

 

Based on the feedback of @bowesmana and @marnall I changed it to:

<prefix>IN (</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>

 

And further down the search: 

index="pm-azlm_internal_prod_events" sourcetype="azlm" opc $opc_t$ 
... 
| append 
    [search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp $opc_t$
...

 

All is now working as expected, thank you for your support.

0 Karma

marnall
Motivator

It seems that you are using the opc_t token as a keyword search in the first line, and then as a field filter in the appended search. Does it work when you use opc=$opc_t|s$ as the filter in your first line?

 

 

<query>index="pm-azlm_internal_prod_events" sourcetype="azlm" opc=$opc_t|s$ $framenum$
| strcat opc "_" frame_num UNIQUE_ID
| dedup _time UNIQUE_ID
| append
[ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$
| strcat ocp "-j_" fr as UNIQUE_ID
| dedup UNIQUE_ID]
| timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID
| sort by _time DESC
</query>

 

 

A good way to debug this is to click the magnifying glass in the lower-right part of the panel to launch the search with the current value of the opc_t token. It may result in a bad filter which removes all your search results, which can then be adjusted so it does not remove all results.

(note: put the token between double-quotes if it can contain a space character)  (As bowesmana said, this is not necessary)

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...