Solved: How to pass a token in to Dashboard with OR?

kiran331 · ‎10-05-2016

Hello,

I have a field status with values new, active, reopen. I have to pass status values as (New or active or reopen).when I pass token with values its taking as AND, but a event has only one of them. How can I do it?

rjthibod · ‎10-05-2016

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

View solution in original post

rjthibod · ‎10-14-2016

@kiran331, did my answer help you? If so, please accept it. If not, please clarify.

kiran331 · ‎10-14-2016

It worked Thanks!

rjthibod · ‎10-05-2016

Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ... ?

If so, you can use gentimes and format to reformat the value.

Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.

This should get converted to the following when applied

index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )

How to pass a token in to Dashboard with OR?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life