Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

is it possible to use tokens from 2 different files together in a query?

anooshac
Communicator
‎03-04-2020 10:12 PM

Hi all, i have been trying to use 2 tokens which are calculated from 2 different files in another query. But it is not working. Can i use 2 tokens from different files in one query or is there any alternative way to achieve this?

Tags (3)
0 Karma
Reply

sumanssah
Communicator
‎03-04-2020 10:31 PM

Yes, it's possible to use 2 tokens from 2 different searches into 1 search. Try using the below-mentioned sample dashboard and change variable as per requirement 

<form theme="dark">
  <label>Host Login Details</label>
  <fieldset submitButton="false">
    <input type="time" token="timeFrame">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>field1</fieldForLabel>
      <fieldForValue>field1</fieldForValue>
      <search>
        <query><your search1>| dedup field1 | table field1</query>
      </search>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true">
      <label>field2</label>
      <choice value="*">all</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>field2</fieldForLabel>
      <fieldForValue>field2</fieldForValue>
      <search>
        <query><your search2>| dedup field2 | table field2</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query><your search> field1=$field1$ field2=$field2$ 

| table _time field1 field2</query>
          <earliest>$timeFrame.earliest$</earliest>
          <latest>$timeFrame.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

anooshac
Communicator
‎03-05-2020 12:17 AM

Hi @sumanssah thanks for responding! Actually i am getting the 2 tokens from 2 different files using query. And i am using both of them in the next query. But when both are being used together i am not getting any results. If anyone of them is used at a time i am getting a part of the output. do you know what will be the problem here?

0 Karma
Reply

harshpatel
Contributor
‎03-04-2020 10:29 PM

Please elaborate more on what you are trying to achieve.

0 Karma
Reply

anooshac
Communicator
‎03-05-2020 12:20 AM

hi @harshpatel , i have 2 tokens which are coming from 2 different json files. and i want to use them in the next query. But i am not able to do that. When i use both of them together i am not getting any results. Do you know if any solution for this!

0 Karma
Reply

harshpatel
Contributor
‎03-07-2020 04:22 AM

Did you check if the query generated after replacing both tokens has valid condition(which should satisfy the condition on event)?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...