https://community.splunk.com/t5/Splunk-Search/How-to-get-token-value-and-time-value-from-a-single-dropdown-in/m-p/597987#M208226 <P>I figured it out - I needed to use the done functionality to make it work from the table:<BR /><BR />&lt;done&gt;<BR />&lt;set token="case_num"&gt;$result.case_idz$&lt;/set&gt;<BR />&lt;set token="earliest_event"&gt;$result.earliest_event$&lt;/set&gt;<BR />&lt;set token="latest_event"&gt;$result.latest_event$&lt;/set&gt;<BR />&lt;/done&gt;<BR /><BR />I also needed to remove the ctime conversion, and leave it in UNIX time. Works now!</P> Mon, 16 May 2022 18:28:55 GMT gwalford 2022-05-16T18:28:55Z https://community.splunk.com/t5/Splunk-Search/How-to-get-token-value-and-time-value-from-a-single-dropdown-in/m-p/597982#M208224 <P>How can I pull 3 tokens from a single dropdown search? - I would like our users to select the case_idz, and have the _time value populate from the same dropdown (I know I can append this to the individual searches with the case_idz token, but that seems very brute force and inelegant.)<BR /><BR />Here is the populating search:<BR /><BR /><FONT color="#0000FF">| tstats count WHERE index=cases BY source, _time</FONT><BR /><FONT color="#0000FF">| fields source, _time</FONT><BR /><FONT color="#0000FF">| rex field=source max_match=0 "^[A-Z]:\\\\([^\\\\]*)\\\\([^\\\\]*)\\\\(?P&lt;case_idz&gt;[^\\\\]*)"</FONT><BR /><FONT color="#0000FF">| stats count by case_idz, _time</FONT><BR /><FONT color="#0000FF">| fields case_idz, _time</FONT><BR /><FONT color="#0000FF">| stats earliest(_time) AS earliest_event, latest(_time) AS latest_event by case_idz</FONT><BR /><FONT color="#0000FF">| convert ctime(earliest_event) ctime(latest_event)</FONT><BR /><BR />Which gives a table of:</P> <P class=""><SPAN class=""><STRONG>case_idz earliest_event latest_event</STRONG><BR /><BR />I would like to turn each of these into a token:<BR /><BR />$case_idz$ $earliest_event$ $latest_event$<BR /><BR />The case_idz is the value that they need to pivot off of, and the earliest_event and latest_event are the second and third tokens that I would like to leverage to set the earliest and latest time values for the searches.<BR /><BR />Other than taking components of this search and adding it to each and every dashboard, how can I have the three variables trigger in one pass?</SPAN></P> Mon, 16 May 2022 17:01:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-token-value-and-time-value-from-a-single-dropdown-in/m-p/597982#M208224 gwalford 2022-05-16T17:01:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-token-value-and-time-value-from-a-single-dropdown-in/m-p/597987#M208226 <P>I figured it out - I needed to use the done functionality to make it work from the table:<BR /><BR />&lt;done&gt;<BR />&lt;set token="case_num"&gt;$result.case_idz$&lt;/set&gt;<BR />&lt;set token="earliest_event"&gt;$result.earliest_event$&lt;/set&gt;<BR />&lt;set token="latest_event"&gt;$result.latest_event$&lt;/set&gt;<BR />&lt;/done&gt;<BR /><BR />I also needed to remove the ctime conversion, and leave it in UNIX time. Works now!</P> Mon, 16 May 2022 18:28:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-token-value-and-time-value-from-a-single-dropdown-in/m-p/597987#M208226 gwalford 2022-05-16T18:28:55Z