Splunk Search

Passing tokens dynamically to search query

k_harini
Communicator

I have a drop down which I populate with the query and editing field values
index="myindex"|stats values(Category) as categories|rex field=categories mode=sed "s/Change Request/CR/" |rex field=categories mode=sed "s/Central Functions/CF/"| mvexpand categories|eval label= categories |eval value = categories

Now since I had changed drop down values how will i pass the original field value as token to my search query where it will work
index="myindex" Category=$categories$| chart count over sourcetype by "Priority" | addtotals fieldname=Total| foreach * [eval Req_Percent = count *100 / Total] | fields - Total

This is not working.. I want to pass the category i select from drop down and change it to field value and pass to query.. How can i accomplish that.. Please help

Tags (1)
0 Karma

sundareshr
Legend

Try this

index="myindex" | rex field=categories mode=sed "s/Change Request/CR/" | rex field=categories mode=sed "s/Central Functions/CF/"| mvexpand categories |  search Category="$categories$" | chart count over sourcetype by "Priority" | addtotals fieldname=Total| foreach * [eval Req_Percent = count *100 / Total] | fields - Total
0 Karma

gcusello
SplunkTrust
SplunkTrust

if you open the search dashboard from your panel, what you find instead of $categories$?
Bye.
Giuseppe

0 Karma

k_harini
Communicator

I get no results found.. When i give query with full field values, its displaying correctly

0 Karma

gcusello
SplunkTrust
SplunkTrust

Open your search in the search dashboard, you should have something like this:

index="myindex" Category=$categories$|...

or

index="myindex" Category=Category=$categories$| ...

or something else, in other words: what you have after Category=?.

Every way make another try, if some values of category are strings with spaces:
index="myindex" Category="$categories$"| ...
put double quotes around token.

Bye.
Giuseppe

0 Karma

k_harini
Communicator

I added double quotes. Reason its not displaying is.. I have used rex in dropdown query and modified the values in drop down (reduced field values length).. when i pass those values to search, they are not there in my log and not getting displayed. Problem here is I'm not able to add rex as calculated field in props file.. Any idea on how to add this as calculated field? Thanks!

0 Karma

nagarjuna560
New Member

Harini,
did you find a solution to this issue?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...