Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Defining all values in a tables column as a global token to use anytime...

onegame999
Explorer
‎11-01-2019 06:50 PM

I been looking for a while now for an answer , I have read just about everything but I am not getting what I am lookin for.

My first panel search is simply an Inputlookup csv predefined in Splunk that updates nightly with new data..
The user controls the results table with the time picker....what ever dates they choose a table is produced.... so far so good....

What I want to do is grab an entire column/ field that's returned and use all the values in a second panel...
Just simply being able to use | Table $Customers$ in the second panel or use that list with a where clause in second panel....

I don't want a drill down or click value or anything I just want to use the whole list / column in the second panel.. nothing fancy

my code..

| inputlookup Customers_2019.csv
| search = "Products" = sold
| eval _time = Purchase_date
| sort - DateCreated
| table Customers

which produces the list I want...

I want to simply pass the Customers to a token to use later..

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎11-02-2019 12:22 AM 
| inputlookup Customers_2019.csv
| search Products = "sold"
| table Customers
| format

Hi, How about this?

<done>
   <set token="your_token">$result.search$</set>
 </done>

Not Customers

0 Karma
Reply

renjith_nair
Legend
‎11-01-2019 07:54 PM

@onegame999,

Couldn't find any method which passes multiple values at a time by default. However, tried this workaround and seems to be working.

  • Combining values of column to an additional field (field with "_" is hidden in the output)
  • Set the values to a token once the search is done
  • Use the token in the subsequent searches

Here is a run anywhere example

<dashboard>
  <label>ColumnValues</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal|stats count by sourcetype|eventstats values(sourcetype) as _additional</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="column_values">$result._additional$</set>
          </done>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <table>
        <search>
          <query>|makeresults|eval column="$column_values$"</query>
          <earliest>-1m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Its currently produces a comma(,) separated list but that can be processed using mv commands based on how you want to use them later.
It should be fine for a small datasets but haven't tested against a large dataset

  • Other option is to write the results of first search to a temp lookup and source that lookup in the second search
Happy Splunking!
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-01-2019 09:56 PM

You don't need to make the field prefixed with an underscore, an alternative is to add the element to control the table fields, i.e.

index=_internal|stats count by sourcetype
|eventstats values(sourcetype) as sourcetypes

and then just list the fields you want
<fields>sourcetype,count</fields>

https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/PanelreferenceforSimplifiedXML#table

Reply

renjith_nair
Legend
‎11-02-2019 01:07 AM

@bowesmana , you are right but values which are not present in the result table wont be available in the $result. token. Try it

Happy Splunking!
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-03-2019 01:01 AM

Not sure I get you @renjith.nair . If the results are not in the table then naturally they would not be in the token. Is there another possibility?

0 Karma
Reply

renjith_nair
Legend
‎11-07-2019 04:35 AM

@bowesmana , thats why I used _ variable. It doesnt display in the result table but will be available in the result set token

Happy Splunking!
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2019 12:42 AM

@renjith.nair My point was that using the fields XML statement allows you to control what values are SHOWN in the table, regardless of what fields are in the SPL. You can have any number of fields in the results, but only show a subset of these. All fields in the results are then available to tokens.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...