Splunk Search

how to pass filter token based on filter value in search query?

avni26
Explorer

Hi,
I have below multiselect filter , based on username="ABC" , I need to display two more filters.( ip, city)
And when those two input multiselect values should also reflect on our all panel , else it should not get search

<input id="selid"> <search >      <query>search user IN ($seluser$) |      table id | dedup id</query> </search>    <delimiter>, </delimiter>      <default>*</default> <change>      <condition value="ABC"> <set      token="set_tok"></set> <set      token="set_info">  ip IN ($selip$) city IN      ($selcity$)</set> </condition>      <condition> <unset      token="set_tok"></unset> <set      token="set_info"></set> </condition>     </change></input>

Base query:
index........ | search name IN ($selname$) user IN ($seluser$) id IN($selid$) $set_info$

Now , I want to show below as in panel
When I select user=ABC
index ... | search name IN ($selname$) user IN ($seluser$) id IN($selid$) ip IN ($selip$) city IN ($selcity$)

else for other user
index ... | search name IN ($selname$) user IN ($seluser$) id IN($selid$)

I am getting problem , when I am trying to change the value on any of those two filter (ip, city) , its only taking the initial value , when I changed to anything else no effect on panels,
Please suggest , what I am doing wrong here.

Tags (1)
0 Karma

to4kawa
Ultra Champion
 <set token="set_info"> ip IN ($selip$) city IN      ($selcity$)</set>

this statement only works at first.

0 Karma

avni26
Explorer

@to4kawa yes, how to write and at where should this statement will go? Please suggest

0 Karma

to4kawa
Ultra Champion

three tokens throw main search. not to input.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...