Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard - How to set default value for token to two different values, depending on query?

stucky101
Engager
‎08-03-2022 10:09 AM

Hey Gurus

I have a conundrum here regarding a Dashboard Studio board I'm working on to show Infoblox zone transaction details.

I'm trying to write queries that allow for either passing a grid site name or leave it blank and show global stats. Normally, the default value for a token is "*" and that works perfectly with splunk's host wildcard.

However, for some reason, you decided to use a different wildcard for the "where like" function, that being "%". This messes up a query I have when not passing a value for site. Fe. the following query works out as desired when I pass token "sf01-ibsn-c01n"  for macro_site:

 

 

 

where new_serial="$macro_serial$" AND like(client_resolved, "$macro_site$%")

 

 

 

It interpolates it as :

 

 

 

where new_serial="2654170934" AND like(client_resolved, "sf01-ibsn-c01n%")

 

 

 

Of course, when I don't pass a site, the query turns into garbage:

 

 

 

where new_serial="2654170934" AND like(client_resolved, "*%")

 

 

 

 

I cannot change the default value to "%", since now the host wildcard is messed up. I basically need either two conditional defaults or, perhaps, some dash/xml logic to deal with this ?

Any help would be appreciated.

Thank you ! 

0 Karma
Reply

stucky101
Engager
‎08-04-2022 12:47 PM

Answering my own question here. I fixed it. Didn't realize that "search" can also take k/v so I dont even need "where" at all. Luckily, "search" takes regular wildcards 🙂

| search client_resolved="$macro_site$*"

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...