Splunk Search

Using different input lookup commands based on token given in a dropdown

ft_kd02
Engager

Hi all,

First time poster, new to Splunk and query languages in general, please forgive if this is a silly question. 

I am trying to insert an additional layer of tokenization into a chained series of dropdowns. Working for my dashboard is a dropdown that gives us a set of values based on an input lookup command:

company dropdown ( input lookup xxxxx.csv) -> token2 dropdown-> token3 dropdown etc..

The ideal situation is using a new 'environment' dropdown that will pass it's token to the company dropdown to segregate the items listed in 'company' based on environment. I have two lookup files, each containing the relevant key/value pairings of that environment. Is it possible to use a token to change a search entirely based on what token is received? 

In more detail: 

Company dropdown search:  
| inputlookup xxxxxxx.csv
| fields description, value
| dedup description, value

The format of the lookup tables:
2 rows:
value description
value1 description1
value2 description2
etc...

Environment has two static values (field1, field1Value), (field2, field2Value). Can I pass in a different lookup table (or, just pass in a similar search with a different lookup) to the company dropdown, based on what environment token is given? 

It's not lost on me that I may be going about this the wrong way. If I'm going totally the wrong direction, let me know.

Thanks

Labels (2)
0 Karma
1 Solution

rupkumar4sec
Path Finder

You can do that. 
In environment dropdown, field1Value and field2Value should be your lookup names. Then in company dropdown use  that token in place of lookup name in inputlookup command

In environment dropdown
field1 lookup1.csv
field2 lookup2.csv

In company dropdown
| inputlookup $tokenfromenvironment$
| fields description, value
| dedup description, value


View solution in original post

rupkumar4sec
Path Finder

You can do that. 
In environment dropdown, field1Value and field2Value should be your lookup names. Then in company dropdown use  that token in place of lookup name in inputlookup command

In environment dropdown
field1 lookup1.csv
field2 lookup2.csv

In company dropdown
| inputlookup $tokenfromenvironment$
| fields description, value
| dedup description, value


View solution in original post

ft_kd02
Engager

@rupkumar4sec Thank you, so simple!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!