Dashboards & Visualizations

Can I use a field as a token without it showing on the search?

maffreitas
Path Finder

Can I use a field as a token without it showing on the search?

For example:
index=idx_abc sourcetype=src_a TOTAL > 10 | table Col1 Col2 Col3

I want to use $result.TOTAL$. In other words, I want refer to a column without show it on the search results.

Labels (1)
0 Karma

weidertc
Communicator

If you prefix the token name with an underscore it will hide it from the table, but the information is still present for you to use.  You will still need to put it in the final table.

This command will contain the data for all 4 fields, but it will only visibly show you the 3 without leading underscores.

| table _TOTAL Col1 Col2 Col3

This token will be available for you to use.

$result._TOTAL$

grywiner51
Explorer

This is the way.  Thank you weidertc!

0 Karma

cmerriman
Super Champion

Try this (put TOTAL in the table but use under options):

  <row>
    <panel>
      <table>
        <title>TITLE</title>
        <search>
          <query>index=idx_abc sourcetype=src_a TOTAL > 10 | table Col1 Col2 Col3 TOTAL </query>
        <set token="total">$result.TOTAL$</set>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <fields>["Col1","Col2","Col3"]</fields>
      </table>
    </panel>
  </row>
0 Karma

maffreitas
Path Finder

Hi @cmerriman, thank you.

It unfortunately does not work, because if try to use the the $result.TOTAL$ this value comes empty on the email.

0 Karma

cmerriman
Super Champion

you might need to do:

<done>
<set token="total">$result.TOTAL$</set>
</done>

or

<preview>
<set token="total">$result.TOTAL$</set>
</preview>

something to help troubleshoot tokens is to use showtokens.js to see if the token is being created/evaluated correctly.

0 Karma

maffreitas
Path Finder

@cmerriman, thank you again.

I got your point, but by default I can't use simpleXML on email alert notification, can I?
(http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens)

0 Karma

cmerriman
Super Champion

Sorry, I was thinking through dashboards and not alerts. I think the field has to be available for you to use it in your alert.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...