Hi,
I want to out result from query into token. How can I do that.
<query>|inputlookup SourceType_Attributes | where Sourcetype=$source_type$ | table field1
<done>
<condition match=" '.resultCount' >= 1">
<set token="t_query_fields">$'result.field1'$</set>
</condition>
</done>
I am not sure I have a right syntax
Hello @praspai
Could you please try this:
<search>
<query>
index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
</query>
<earliest>-24h</earliest>
<latest>now</latest>
<done>
<set token="token_problem">$result.x$</set>
</done>
</search>
Please let me know if it works for you.
Hello @praspai
Could you please try this:
<search>
<query>
index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
</query>
<earliest>-24h</earliest>
<latest>now</latest>
<done>
<set token="token_problem">$result.x$</set>
</done>
</search>
Please let me know if it works for you.
you can try like below:
<condition match=" $job.resultCount$ >= 1">
<set token="t_query_fields">$result.field1$</set>
</condition>
refer this: http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/tokens