Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML token defaults to * for a field and the need is to initialise * to output of a lookup

macadminrohit
Contributor
‎08-08-2018 12:26 PM

I have a drop down which populates the list of servers in the environment and the default value of the server token is * which gets all the servers and some extra as $server$=* , whereas i need * to be only the servers in the lookup. Here is my code

<fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="server" searchWhenChanged="true">
      <label>Select a server Number:</label>
      <default>*</default>
      <choice value="*">All servers</choice>
           <fieldForLabel>serverName</fieldForLabel>
      <fieldForValue>SERVER</fieldForValue>
      <search base="lookup_csv">
        <query>search OPEN="Y" AND  | search TimeZone=* AND Territory=* AND Region=* AND District=* AND STATE=*  
        | sort SERVER
        | rex mode=sed field=SERVER "s/(\d+)/000\1/" 
        | rex mode=sed field=SERVER "s/0*([0-9]{4})/\1/" 
        | eval storeName = SERVER+"-"+SERVER_NAME+"-"+STATE 
        | table SERVER serverName</query>
      </search>

As you can see, the lookup search will spit out all the servers which i require and i want the default value (* ) to be restricted to only these values(coming from lookup )

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎08-08-2018 06:05 PM

You need to filter that in the main search where the SERVER token is used

i.e. index=my_index |search [|inputlookup host_csv|additional filter|fields SERVER] | search SERVER=$SERVER$

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

macadminrohit
Contributor
‎08-11-2018 06:38 PM

Thanks, thats what I did and it fixed the problem.

0 Karma
Reply

renjith_nair
Legend
‎08-11-2018 07:47 PM

@macadminrohit, glad that worked. You may accept it as answer to close the thread.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...