Splunk Search

search help, token

yohhpark
Path Finder

system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,,

and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.

I need your help search guru,

 

I want to search for All result AA-1 NOT showing AA-10 or AA-12, YET also need them in one token.

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Why do you need them in one token.

You will not be able to search for 

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e. 

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

 

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

First, some house cleaning: You posted two nearly identical topics.  This one appears to be more specific in subject.  Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-specific-result/m-p/659465#M227694, then?

Second, you need to give enough context for a person with no context about your environment, dataset, etc., to understand what difficulty you face, what attempts you have made with what result.  Do not assume that volunteers are mind-readers.  For example,


and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start

Never mind the problem.  I tail to see any problem of putting system_id in a token as discrete values.  For one, system_id starts with AA-1, but there is no asterisk ('*') in any of the examples.  If I use <your initial search> | stats count by system_id to populate $mytoken$, none of the values will have wildcard.  Your problem statement implies that you populate $mytoken$ either with fixed strings including AA-1*, AA-10*, etc., or you populate $mytoken$ with a search like my example, but manipulate the results in a way the adds wildcard to certain positions.  Another person would have no way of knowing why you populate $mytoken$ with AA-1* instead of AA-1-*, for example.

Then, there is a question of use of said token.  Do you use it in a search command?  A where command?  A match function?  A different part of an eval expression?  Each of these can work with a string differently.

Can you explain how that wildcard character gets into your token values and how you token is used?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Why do you need them in one token.

You will not be able to search for 

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e. 

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...