Dashboards & Visualizations

Can you help me with a token issue?

jip31
Motivator

Hi

I use the scheduled search below

eventtype="AppliService" Name="mfevtp" 
| fields Name, host 
| dedup host Name
| stats count

This search is called from the dashboard with a loadjob command

| loadjob savedsearch="admin:xx:xx" 
**| search host=$tok_filterhost$** 
| fields - host 
| append 
    [ makeresults 
    | eval EventCode=0] 
| stats sum(EventCode)

But I have an issue with | search host=$tok_filterhost$

When I delete this piece of code I have results.

When there is this one, I have a 0 result even if I put a host name in my token entry.

It's strange because I have already used this kind of search, and it was working perfectly.

Is somebody has an idea please?

Tags (2)
0 Karma
1 Solution

tiagofbmm
Influencer

The result of the first query is a count, not a count by host

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count

count
1000

If you want to use the host searching later you need to include it in the stats count

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count by host

Then you;ll be able to search the latter

View solution in original post

tiagofbmm
Influencer

The result of the first query is a count, not a count by host

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count

count
1000

If you want to use the host searching later you need to include it in the stats count

eventtype="AppliService" Name="mfevtp"
| fields Name, host
| dedup host Name
| stats count by host

Then you;ll be able to search the latter

jip31
Motivator

thanks tiago

0 Karma

jip31
Motivator

thanks a lot

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...