Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to pass the all the values of a column from 1st to 2nd panel?

skjaki786
Observer
‎05-08-2024 11:22 PM

this one didn't work

<done>
<condition match="$job.resultCount$==0">
<set token="Tokent">0</set>
</condition>
<condition>
<set token="Tokent">$row.device_ip_address.value$</set>
</condition>
</done>

below one is only giving 1st value of the field... I need to show rest of the values of device_ip_address

<done>
<condition match="$job.resultCount$==0">
<set token="Tokent">0</set>
</condition>
<condition>
<set token="Tokent">$result.device_ip_address$</set>
</condition>
</done>

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2024 11:30 PM

The drilldown can't pass multiple rows of a table, but you could do this in a couple of ways

1. Create a stats values() of the column you want and just do not display it - using the <fields> XML element - it will still exist in every row as a field. Pass this field as a multi value field.

2. When you click the table, have a second search that uses the first search as a base search and runs and does the stats values(column) and another <done> clause to set the token.

0 Karma
Reply

skjaki786
Observer
‎05-08-2024 11:49 PM

Thanks for the reply. But I forgot to mention that both are having different indexes> I am not able to use base search here.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-09-2024 05:42 PM

Yes, you can because the second search using the base is simply to create the single row result, which you can then turn into a token, e.g.

<search id="base">
  <query>
bla
  </query>
</search>

<table depends="$hidden$">
  <search base="base">
    <query>
| stats values(device_ip_address) as device_ip_address
| eval device_ip_address=mvjoin(device_ip_address, ",")
    </query>
  </search>
  <done>
    <set token="mytoken">$result.device_ip_address$</set>
  </done>
</table>

and then your other search can use $mytoken$ as needed - use the eval in the second search to make the format of the device_ip_address values what you need it to be for the other search.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...