Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML token defaults to * for a field and the need is to initialise * to output of a lookup

macadminrohit
Contributor
‎08-08-2018 12:26 PM

I have a drop down which populates the list of servers in the environment and the default value of the server token is * which gets all the servers and some extra as $server$=* , whereas i need * to be only the servers in the lookup. Here is my code

<fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="server" searchWhenChanged="true">
      <label>Select a server Number:</label>
      <default>*</default>
      <choice value="*">All servers</choice>
           <fieldForLabel>serverName</fieldForLabel>
      <fieldForValue>SERVER</fieldForValue>
      <search base="lookup_csv">
        <query>search OPEN="Y" AND  | search TimeZone=* AND Territory=* AND Region=* AND District=* AND STATE=*  
        | sort SERVER
        | rex mode=sed field=SERVER "s/(\d+)/000\1/" 
        | rex mode=sed field=SERVER "s/0*([0-9]{4})/\1/" 
        | eval storeName = SERVER+"-"+SERVER_NAME+"-"+STATE 
        | table SERVER serverName</query>
      </search>

As you can see, the lookup search will spit out all the servers which i require and i want the default value (* ) to be restricted to only these values(coming from lookup )

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎08-08-2018 06:05 PM

You need to filter that in the main search where the SERVER token is used

i.e. index=my_index |search [|inputlookup host_csv|additional filter|fields SERVER] | search SERVER=$SERVER$

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

macadminrohit
Contributor
‎08-11-2018 06:38 PM

Thanks, thats what I did and it fixed the problem.

0 Karma
Reply

renjith_nair
Legend
‎08-11-2018 07:47 PM

@macadminrohit, glad that worked. You may accept it as answer to close the thread.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...