Archive

Defining all values in a tables column as a global token to use anytime...

Explorer

I been looking for a while now for an answer , I have read just about everything but I am not getting what I am lookin for.

My first panel search is simply an Inputlookup csv predefined in Splunk that updates nightly with new data..
The user controls the results table with the time picker....what ever dates they choose a table is produced.... so far so good....

What I want to do is grab an entire column/ field that's returned and use all the values in a second panel...
Just simply being able to use | Table $Customers$ in the second panel or use that list with a where clause in second panel....

I don't want a drill down or click value or anything I just want to use the whole list / column in the second panel.. nothing fancy

my code..

| inputlookup Customers_2019.csv
| search = "Products" = sold
| eval _time = Purchase_date
| sort - DateCreated
| table Customers

which produces the list I want...

I want to simply pass the Customers to a token to use later..

Tags (1)
0 Karma

SplunkTrust
SplunkTrust
| inputlookup Customers_2019.csv
| search Products = "sold"
| table Customers
| format

Hi, How about this?

<done>
   <set token="your_token">$result.search$</set>
 </done>

Not Customers

0 Karma

SplunkTrust
SplunkTrust

@onegame999,

Couldn't find any method which passes multiple values at a time by default. However, tried this workaround and seems to be working.

  • Combining values of column to an additional field (field with "_" is hidden in the output)
  • Set the values to a token once the search is done
  • Use the token in the subsequent searches

Here is a run anywhere example

<dashboard>
  <label>ColumnValues</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal|stats count by sourcetype|eventstats values(sourcetype) as _additional</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <set token="column_values">$result._additional$</set>
          </done>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title></title>
      <table>
        <search>
          <query>|makeresults|eval column="$column_values$"</query>
          <earliest>-1m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Its currently produces a comma(,) separated list but that can be processed using mv commands based on how you want to use them later.
It should be fine for a small datasets but haven't tested against a large dataset

  • Other option is to write the results of first search to a temp lookup and source that lookup in the second search
0 Karma

Influencer

You don't need to make the field prefixed with an underscore, an alternative is to add the element to control the table fields, i.e.

index=_internal|stats count by sourcetype
|eventstats values(sourcetype) as sourcetypes

and then just list the fields you want
<fields>sourcetype,count</fields>

https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/PanelreferenceforSimplifiedXML#table

SplunkTrust
SplunkTrust

@bowesmana , you are right but values which are not present in the result table wont be available in the $result. token. Try it

0 Karma

Influencer

Not sure I get you @renjith.nair . If the results are not in the table then naturally they would not be in the token. Is there another possibility?

0 Karma

SplunkTrust
SplunkTrust

@bowesmana , thats why I used _ variable. It doesnt display in the result table but will be available in the result set token

0 Karma

Influencer

@renjith.nair My point was that using the fields XML statement allows you to control what values are SHOWN in the table, regardless of what fields are in the SPL. You can have any number of fields in the results, but only show a subset of these. All fields in the results are then available to tokens.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!