Solved: Re: search help, token

yohhpark · ‎10-03-2023

system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,,

and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.

I need your help search guru,

I want to search for All result AA-1 NOT showing AA-10 or AA-12, YET also need them in one token.

bowesmana · ‎10-03-2023

Why do you need them in one token.

You will not be able to search for

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e.

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

View solution in original post

yuanliu · ‎10-03-2023

First, some house cleaning: You posted two nearly identical topics. This one appears to be more specific in subject. Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-specific-result/m-p/659465#M227694, then?

Second, you need to give enough context for a person with no context about your environment, dataset, etc., to understand what difficulty you face, what attempts you have made with what result. Do not assume that volunteers are mind-readers. For example,

and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start

Never mind the problem. I tail to see any problem of putting system_id in a token as discrete values. For one, system_id starts with AA-1, but there is no asterisk ('*') in any of the examples. If I use <your initial search> | stats count by system_id to populate $mytoken$, none of the values will have wildcard. Your problem statement implies that you populate $mytoken$ either with fixed strings including AA-1*, AA-10*, etc., or you populate $mytoken$ with a search like my example, but manipulate the results in a way the adds wildcard to certain positions. Another person would have no way of knowing why you populate $mytoken$ with AA-1* instead of AA-1-*, for example.

Then, there is a question of use of said token. Do you use it in a search command? A where command? A match function? A different part of an eval expression? Each of these can work with a string differently.

Can you explain how that wildcard character gets into your token values and how you token is used?

bowesmana · ‎10-03-2023

Why do you need them in one token.

You will not be able to search for

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e.

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

search help, token

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?