Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search help, token

yohhpark
Path Finder
‎10-03-2023 09:59 AM

system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,,

and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.

I need your help search guru,

 

I want to search for All result AA-1 NOT showing AA-10 or AA-12, YET also need them in one token.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2023 07:48 PM

Why do you need them in one token.

You will not be able to search for 

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e. 

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2023 08:12 PM

First, some house cleaning: You posted two nearly identical topics.  This one appears to be more specific in subject.  Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-specific-result/m-p/659465#M227694, then?

Second, you need to give enough context for a person with no context about your environment, dataset, etc., to understand what difficulty you face, what attempts you have made with what result.  Do not assume that volunteers are mind-readers.  For example,

and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start

Never mind the problem.  I tail to see any problem of putting system_id in a token as discrete values.  For one, system_id starts with AA-1, but there is no asterisk ('*') in any of the examples.  If I use <your initial search> | stats count by system_id to populate $mytoken$, none of the values will have wildcard.  Your problem statement implies that you populate $mytoken$ either with fixed strings including AA-1*, AA-10*, etc., or you populate $mytoken$ with a search like my example, but manipulate the results in a way the adds wildcard to certain positions.  Another person would have no way of knowing why you populate $mytoken$ with AA-1* instead of AA-1-*, for example.

Then, there is a question of use of said token.  Do you use it in a search command?  A where command?  A match function?  A different part of an eval expression?  Each of these can work with a string differently.

Can you explain how that wildcard character gets into your token values and how you token is used?

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2023 07:48 PM

Why do you need them in one token.

You will not be able to search for 

AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e. 

system_id=$base_token$*

and then a second token with AA-1($|-) and do a regex, e.g.

| regex system_id="$regex_token$"

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...