Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML token defaults to * for a field and the need is to initialise * to output of a lookup

macadminrohit
Contributor
‎08-08-2018 12:26 PM

I have a drop down which populates the list of servers in the environment and the default value of the server token is * which gets all the servers and some extra as $server$=* , whereas i need * to be only the servers in the lookup. Here is my code

<fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="server" searchWhenChanged="true">
      <label>Select a server Number:</label>
      <default>*</default>
      <choice value="*">All servers</choice>
           <fieldForLabel>serverName</fieldForLabel>
      <fieldForValue>SERVER</fieldForValue>
      <search base="lookup_csv">
        <query>search OPEN="Y" AND  | search TimeZone=* AND Territory=* AND Region=* AND District=* AND STATE=*  
        | sort SERVER
        | rex mode=sed field=SERVER "s/(\d+)/000\1/" 
        | rex mode=sed field=SERVER "s/0*([0-9]{4})/\1/" 
        | eval storeName = SERVER+"-"+SERVER_NAME+"-"+STATE 
        | table SERVER serverName</query>
      </search>

As you can see, the lookup search will spit out all the servers which i require and i want the default value (* ) to be restricted to only these values(coming from lookup )

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎08-08-2018 06:05 PM

You need to filter that in the main search where the SERVER token is used

i.e. index=my_index |search [|inputlookup host_csv|additional filter|fields SERVER] | search SERVER=$SERVER$

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

macadminrohit
Contributor
‎08-11-2018 06:38 PM

Thanks, thats what I did and it fixed the problem.

0 Karma
Reply

renjith_nair
Legend
‎08-11-2018 07:47 PM

@macadminrohit, glad that worked. You may accept it as answer to close the thread.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...