Can we save output of a table in different tokens?

srujan0009 — Tue, 29 Sep 2020 19:44:35 GMT

The output of Splunk query is a table.
Can i save all results in different tokens?

Example: (Output of Splunk query)
Row Count_by_values
1 123
2 4567
3 5896
4 4573
5 3512

Here, can i store all values(123, 4567, 5896, 4573, 3512) in 5 different tokens?

Re: Can we save output of a table in different tokens?

Javip — Fri, 01 Jun 2018 10:51:28 GMT

I cannot understand what you are trying to do... Can you explain and provide more info?

Re: Can we save output of a table in different tokens?

paramagurukarth — Fri, 01 Jun 2018 11:01:22 GMT

If you could share about your actual requirement .. we can try some different solution.. because the requirement in your question is not like a good approach for any problem.solution..

Now the Answer for your question is NO,

Because, Using simple xml we can populate the splunk tokens only using the fields in the last row of the result.

Re: Can we save output of a table in different tokens?

niketn — Fri, 01 Jun 2018 13:22:06 GMT

@srujan0009 there could be multiple options to do this but depending on several things like:
1) What you want to do afterwards once you have the results from above table?
2) Are there always five values or can the number of results differ?

Please add more details for the community members to help.

Following are the three options I can think of:

1) Use Post Processing to reuse the search to initial further processing on existing results
2) Use the Search job Id (thorough addinfo command or $job.sid$ built in search job token) to load the job results using loadjob command and perform further actions on results
3) You can use transpose command to convert rows to column and fetch the default search job token for each result in the first row using <done> or <progress> search event handler through $result.fieldname$ token.
4) If you are on 6.6. or higher Trellis can be used to break up row level data to visualizations like Single Value, Gauges etc.

Following is a run anywhere example for Option 3 with transpose command which assumes there are only 5 rows in all the cases:

<dashboard>
  <label>Token for each row value</label>
  <!-- Dumy Search to perform transpose on original search for table-->
  <search base="baseSearch">
    <query>|  transpose 5 header_field=Row
|  rename "*" as "Field_*"
    </query>
    <done>
      <set token="tokField1">$result.Field_1$</set>
      <set token="tokField2">$result.Field_2$</set>
      <set token="tokField3">$result.Field_3$</set>
      <set token="tokField4">$result.Field_4$</set>
      <set token="tokField5">$result.Field_5$</set>
    </done>
  </search>
  <row>
    <panel>
      <table>
        <search id="baseSearch">
          <query>|  makeresults
|  fields - _time
|  eval data="1 123;2 4567;3 5896;4 4573;5 3512"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=" "
|  eval Row=mvindex(data,0), Count_by_values=mvindex(data,1)
|  fields - data, _*
|  table Row Count_by_values</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <html>
        <div>
          <ul>
            <li>tokField1: $tokField1$</li>
            <li>tokField2: $tokField2$</li>
            <li>tokField3: $tokField3$</li>
            <li>tokField4: $tokField4$</li>
            <li>tokField5: $tokField5$</li>
          </ul>
        </div>
      </html>
    </panel>
  </row>
</dashboard>

topic Re: Can we save output of a table in different tokens? in Splunk Dev

Can we save output of a table in different tokens?

Re: Can we save output of a table in different tokens?

Re: Can we save output of a table in different tokens?

Re: Can we save output of a table in different tokens?