Solved: Re: How to put query result in token?

praspai · ‎08-27-2018

Hi,

I want to out result from query into token. How can I do that.

<query>|inputlookup SourceType_Attributes | where Sourcetype=$source_type$ | table field1 <done> <condition match=" '.resultCount' >= 1"> <set token="t_query_fields">$'result.field1'$</set> </condition> </done>

I am not sure I have a right syntax

vishaltaneja070 · ‎08-27-2018

Hello @praspai

Could you please try this:

<search>
    <query>
          index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
        </query>
    <earliest>-24h</earliest>
    <latest>now</latest>
    <done>
      <set token="token_problem">$result.x$</set>
    </done>
  </search>

Please let me know if it works for you.

View solution in original post

vishaltaneja070 · ‎08-27-2018

Hello @praspai

Could you please try this:

<search>
    <query>
          index=main |eval x="Issue : Category="+category|eval x=if(u_subcategory>0,x+" Subcategory="+u_subcategory,x)|table x
        </query>
    <earliest>-24h</earliest>
    <latest>now</latest>
    <done>
      <set token="token_problem">$result.x$</set>
    </done>
  </search>

Please let me know if it works for you.

493669 · ‎08-27-2018

you can try like below:

<condition match=" $job.resultCount$ >= 1">
    <set token="t_query_fields">$result.field1$</set>
</condition>

refer this: http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/tokens

How to put query result in token?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!