Solved: run specific query depens on token value

spisiakmi · ‎04-24-2024

Hi,

on a dashboard I have a simple check box element: LastOne_tkn (token name). If the check box is enabled, the LastOne_tkn=TRUE. There is simple small table view, which shows some results. I would like to run query in that table view based on LastOne_tkn condition.

LastOne_tkn=TRUE (dedup activated)

index=machinedata
| dedup Attr1
| table Attr1, Attr2

LastOne_tkn=otherwise (dedup deactivated)

index=machinedata
| table Attr1, Attr2

Any idea, please?

ITWhisperer · ‎04-25-2024

Rather than setting the value to true, set it to the line you want in your search

    <input type="checkbox" token="LastOne_tkn">
      <label>Dedup</label>
      <choice value="| dedup Attr1">Dedup</choice>
      <default></default>
      <initialValue></initialValue>
    </input>

Then use the token in your search

index=machinedata
$LastOne_tkn$
| table Attr1, Attr2

View solution in original post

ITWhisperer · ‎04-25-2024

Rather than setting the value to true, set it to the line you want in your search

    <input type="checkbox" token="LastOne_tkn">
      <label>Dedup</label>
      <choice value="| dedup Attr1">Dedup</choice>
      <default></default>
      <initialValue></initialValue>
    </input>

Then use the token in your search

index=machinedata
$LastOne_tkn$
| table Attr1, Attr2

spisiakmi · ‎04-25-2024

Hi ITWhisperer,

exactly this very simple elegant solution I needed. Thank you very much. Works fine.

run specific query depens on token value

using Splunk Enterprise

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk