Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML token defaults to * for a field and the need is to initialise * to output of a lookup

macadminrohit
Contributor
‎08-08-2018 12:26 PM

I have a drop down which populates the list of servers in the environment and the default value of the server token is * which gets all the servers and some extra as $server$=* , whereas i need * to be only the servers in the lookup. Here is my code

<fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="server" searchWhenChanged="true">
      <label>Select a server Number:</label>
      <default>*</default>
      <choice value="*">All servers</choice>
           <fieldForLabel>serverName</fieldForLabel>
      <fieldForValue>SERVER</fieldForValue>
      <search base="lookup_csv">
        <query>search OPEN="Y" AND  | search TimeZone=* AND Territory=* AND Region=* AND District=* AND STATE=*  
        | sort SERVER
        | rex mode=sed field=SERVER "s/(\d+)/000\1/" 
        | rex mode=sed field=SERVER "s/0*([0-9]{4})/\1/" 
        | eval storeName = SERVER+"-"+SERVER_NAME+"-"+STATE 
        | table SERVER serverName</query>
      </search>

As you can see, the lookup search will spit out all the servers which i require and i want the default value (* ) to be restricted to only these values(coming from lookup )

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎08-08-2018 06:05 PM

You need to filter that in the main search where the SERVER token is used

i.e. index=my_index |search [|inputlookup host_csv|additional filter|fields SERVER] | search SERVER=$SERVER$

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

macadminrohit
Contributor
‎08-11-2018 06:38 PM

Thanks, thats what I did and it fixed the problem.

0 Karma
Reply

renjith_nair
Legend
‎08-11-2018 07:47 PM

@macadminrohit, glad that worked. You may accept it as answer to close the thread.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...