I been looking for a while now for an answer , I have read just about everything but I am not getting what I am lookin for.
My first panel search is simply an Inputlookup csv predefined in Splunk that updates nightly with new data..
The user controls the results table with the time picker....what ever dates they choose a table is produced.... so far so good....
What I want to do is grab an entire column/ field that's returned and use all the values in a second panel...
Just simply being able to use | Table $Customers$ in the second panel or use that list with a where clause in second panel....
I don't want a drill down or click value or anything I just want to use the whole list / column in the second panel.. nothing fancy
| inputlookup Customers_2019.csv
| search = "Products" = sold
| eval _time = Purchase_date
| sort - DateCreated
| table Customers
which produces the list I want...
I want to simply pass the Customers to a token to use later..
Couldn't find any method which passes multiple values at a time by default. However, tried this workaround and seems to be working.
Here is a run anywhere example
<dashboard> <label>ColumnValues</label> <row> <panel> <table> <search> <query>index=_internal|stats count by sourcetype|eventstats values(sourcetype) as _additional</query> <earliest>-15m</earliest> <latest>now</latest> <done> <set token="column_values">$result._additional$</set> </done> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title></title> <table> <search> <query>|makeresults|eval column="$column_values$"</query> <earliest>-1m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard>
Its currently produces a comma(,) separated list but that can be processed using mv commands based on how you want to use them later.
It should be fine for a small datasets but haven't tested against a large dataset
You don't need to make the field prefixed with an underscore, an alternative is to add the element to control the table fields, i.e.
index=_internal|stats count by sourcetype
|eventstats values(sourcetype) as sourcetypes
and then just list the fields you want
@renjith.nair My point was that using the fields XML statement allows you to control what values are SHOWN in the table, regardless of what fields are in the SPL. You can have any number of fields in the results, but only show a subset of these. All fields in the results are then available to tokens.