Dashboards & Visualizations

How to put query result in token?

praspai
Path Finder

Hi,

I want to out result from query into token. How can I do that.


<query>|inputlookup SourceType_Attributes | where Sourcetype=$source_type$ | table field1
<done>
<condition match=" '.resultCount' >= 1">
<set token="t_query_fields">$'result.field1'$</set>
</condition>
</done>

I am not sure I have a right syntax

0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @praspai

Could you please try this:

<search>
    <query>
          index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
        </query>
    <earliest>-24h</earliest>
    <latest>now</latest>
    <done>
      <set token="token_problem">$result.x$</set>
    </done>
  </search>

Please let me know if it works for you.

View solution in original post

vishaltaneja070
Motivator

Hello @praspai

Could you please try this:

<search>
    <query>
          index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
        </query>
    <earliest>-24h</earliest>
    <latest>now</latest>
    <done>
      <set token="token_problem">$result.x$</set>
    </done>
  </search>

Please let me know if it works for you.

493669
Super Champion

you can try like below:

<condition match=" $job.resultCount$ >= 1">
    <set token="t_query_fields">$result.field1$</set>
</condition>

refer this: http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/tokens

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...