Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a token issue?

jip31
Motivator
‎03-01-2019 04:08 AM

Hi

I use the scheduled search below

eventtype="AppliService" Name="mfevtp" 
| fields Name, host 
| dedup host Name
| stats count

This search is called from the dashboard with a loadjob command

| loadjob savedsearch="admin:xx:xx" 
**| search host=$tok_filterhost$** 
| fields - host 
| append 
    [ makeresults 
    | eval EventCode=0] 
| stats sum(EventCode)

But I have an issue with | search host=$tok_filterhost$

When I delete this piece of code I have results.

When there is this one, I have a 0 result even if I put a host name in my token entry.

It's strange because I have already used this kind of search, and it was working perfectly.

Is somebody has an idea please?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-01-2019 04:17 AM

The result of the first query is a count, not a count by host

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count

count
1000

If you want to use the host searching later you need to include it in the stats count

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count by host

Then you;ll be able to search the latter

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-01-2019 04:17 AM

The result of the first query is a count, not a count by host

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count

count
1000

If you want to use the host searching later you need to include it in the stats count

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count by host

Then you;ll be able to search the latter

Reply
Solved! Jump to solution

jip31
Motivator
‎03-03-2019 11:32 PM

thanks tiago

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-01-2019 10:02 PM

thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...