- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to assign value for muliselect option with ano...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to assign value for muliselect option with another token?
Hi , I have a token $hosstype$ which will get values as 'web', 'rpt' etc. If All option is selected the value to be passed to $tokenhost$ should be "prod-$hosttype*". How do i assign value as concatenated string with another token ?
<label>$server$</label>
<search>
<query>index=app sourcetype=app_gc_log host="prod-$hosttype$*"| dedup host |sort host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="prod-$hosttype$*">All</choice>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<valuePrefix>host=</valuePrefix>
<delimiter> OR </delimiter>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sangs8788 can you step back a little and post the input example and output example?
Is it that hosttype contains a comma separated value and you need to prefix and suffix the entire content?
$hosttype$ -> 'web', 'rpt', 'blah'
$tokenhost$ -> ????
Where is the code which sets up $hosttype$?
Also which version of Splunk are you using 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay $tokenhost$ -> host="pft-web-1" OR host="pft-web-2"
The tokenhost is based on the multiselected options. It can either be one server or 2 server or it can be All too.
$hosttype$ is passed from another dashboard. This dashboard is drilldown of another. Version of splunk - 6.4.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sangs8788, I think you need to prefix all host values passed from source-dashboard with pft-. You can do this directly from Source Dashboard by also passing comma delimited values for $form.tokenhost$ for the multiselect. If this seems feasible, I can post a dummy source-destination drilldown to set token for multiselect input.
Meanwhile you can refer to one of my Splunk Wiki Talk topic on setting token for multi-select using text box. In your case the values will be set by source dashboard itself rather than the text-box.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
<label>$server$</label>
<search>
<query>index=app sourcetype=app_gc_log host="prod-$hosttype$*"
| dedup host
| sort 0 host
| eval hostvalue=host
| append [
| makeresults
| eval host="All", hostvalue="prod-$hosttype$*"
]
| table host hostvalue
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>hostvalue</fieldForValue>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
Technically, since it isn't a multiselect, you wouldn't need the delimiter. If you ever turn it into a multiselect, then you will need these:
<prefix> ( </prefix>
<delimiter> OR </delimiter>
<suffix> ) </suffix>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck. The input lists down the server name except for the "All" option
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
