Another day, another thing to learn , this spices up my job.
Today i built a dashboard , i want the user provide me a list of keywords from an input text, then i will search based on that. The challenge is it’s a list of keywords separated by comma. It’s easy if the user provide a string like this: hostname=”hostA” OR hostname=”hostB” OR hostname=”hostC” , instead the user will provide me this : hostA,hostB,hostC . I know that i have to split this our and turn the list keywords into a format that Splunk can understand.
I know how to turn this hostA,hostB,hostC into hostname=”hostA” OR hostname=”hostB” …
| makeresults
| eval hostlist="hostA,hostB,hostC"
| eval hostlist="hostname=\"*".replace(hostlist,",","*\" OR host_fullname=\"*")."*\"" | fields hostlist
Cool right ? but how do you put this query in to your order query, you might have a query like this
index=os hostname="*hostA" OR hostname="*hostB"How do we pass our first query result into our second query? This can be resolved by using set token in the dashboard query. What it does is that in your
| | makeresults
| eval hostlist="hostA,hostB,hostC"
| eval hostlist="hostname=\"*".replace(hostlist,",","*\" OR host_fullname=\"*")."*\"" | fields hostlist
-60m@m
now
MyDashboard
| myquery | search $my_second_query_token$
-60m@m
now
1