Solved: Can I create a search parameter that maps to multi...

griffins · ‎06-08-2022

For context, I'm creating a dashboard where a user can search activity of all hosts in an environment or one host in that same environment. Unfortunately, the naming convention used for hostnames makes searching all hosts in a specific environment a bit more complicated than using a single field/value pair with a wildcard. For example, searching all non-production hosts would require a search similar to the following in my case:

index=servers host!="*prd*" AND (host="*30*" OR host="*40*")

In the dashboard, I'd like the user to be able to select a single hostname from a dropdown, or an "All Servers" option from the dropdown.

With that being said, is there a way I can map all the hostnames to a single "field value" such that something like...

index=servers host=allhosts

...would accomplish the same thing as my initial search example?

This would be helpful as it would allow me to use a token for the host field when a user selects an option from the hosts dropdown.

jamie00171 · ‎06-08-2022

hi @griffins ,

Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes

Thanks,

Jamie

View solution in original post

jamie00171 · ‎06-08-2022

hi @griffins ,

Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes

Thanks,

Jamie

griffins · ‎06-08-2022

I think this would work; however, after reading through some of the eventtype documentation, search macros were suggested if I was looking to shorten a search. So I was able to create what I needed using search macros, but I believe your suggestion would also work 🙂

Thank you!

jamie00171 · ‎06-08-2022

Could you use*

Can I create a search parameter that maps to multiple field values?

fields

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!