Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

is it possible to use tokens from 2 different files together in a query?

anooshac
Communicator
‎03-04-2020 10:12 PM

Hi all, i have been trying to use 2 tokens which are calculated from 2 different files in another query. But it is not working. Can i use 2 tokens from different files in one query or is there any alternative way to achieve this?

Tags (3)
0 Karma
Reply

sumanssah
Communicator
‎03-04-2020 10:31 PM

Yes, it's possible to use 2 tokens from 2 different searches into 1 search. Try using the below-mentioned sample dashboard and change variable as per requirement 

<form theme="dark">
  <label>Host Login Details</label>
  <fieldset submitButton="false">
    <input type="time" token="timeFrame">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>field1</fieldForLabel>
      <fieldForValue>field1</fieldForValue>
      <search>
        <query><your search1>| dedup field1 | table field1</query>
      </search>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true">
      <label>field2</label>
      <choice value="*">all</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>field2</fieldForLabel>
      <fieldForValue>field2</fieldForValue>
      <search>
        <query><your search2>| dedup field2 | table field2</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query><your search> field1=$field1$ field2=$field2$ 

| table _time field1 field2</query>
          <earliest>$timeFrame.earliest$</earliest>
          <latest>$timeFrame.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

anooshac
Communicator
‎03-05-2020 12:17 AM

Hi @sumanssah thanks for responding! Actually i am getting the 2 tokens from 2 different files using query. And i am using both of them in the next query. But when both are being used together i am not getting any results. If anyone of them is used at a time i am getting a part of the output. do you know what will be the problem here?

0 Karma
Reply

harshpatel
Contributor
‎03-04-2020 10:29 PM

Please elaborate more on what you are trying to achieve.

0 Karma
Reply

anooshac
Communicator
‎03-05-2020 12:20 AM

hi @harshpatel , i have 2 tokens which are coming from 2 different json files. and i want to use them in the next query. But i am not able to do that. When i use both of them together i am not getting any results. Do you know if any solution for this!

0 Karma
Reply

harshpatel
Contributor
‎03-07-2020 04:22 AM

Did you check if the query generated after replacing both tokens has valid condition(which should satisfy the condition on event)?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...