how to pass filter token based on filter value in ...

avni26 · ‎02-26-2020

Hi,
I have below multiselect filter , based on username="ABC" , I need to display two more filters.( ip, city)
And when those two input multiselect values should also reflect on our all panel , else it should not get search

<input id="selid"> <search >      <query>search user IN ($seluser$) |      table id | dedup id</query> </search>    <delimiter>, </delimiter>      <default>*</default> <change>      <condition value="ABC"> <set      token="set_tok"></set> <set      token="set_info">  ip IN ($selip$) city IN      ($selcity$)</set> </condition>      <condition> <unset      token="set_tok"></unset> <set      token="set_info"></set> </condition>     </change></input>

Base query:
index........ | search name IN ($selname$) user IN ($seluser$) id IN($selid$) $set_info$

Now , I want to show below as in panel
When I select user=ABC
index ... | search name IN ($selname$) user IN ($seluser$) id IN($selid$) ip IN ($selip$) city IN ($selcity$)

else for other user
index ... | search name IN ($selname$) user IN ($seluser$) id IN($selid$)

I am getting problem , when I am trying to change the value on any of those two filter (ip, city) , its only taking the initial value , when I changed to anything else no effect on panels,
Please suggest , what I am doing wrong here.

to4kawa · ‎02-26-2020

 <set token="set_info"> ip IN ($selip$) city IN      ($selcity$)</set>

this statement only works at first.

avni26 · ‎02-26-2020

@to4kawa yes, how to write and at where should this statement will go? Please suggest

to4kawa · ‎02-27-2020

three tokens throw main search. not to input.

how to pass filter token based on filter value in search query?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7