Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to set token from specific row & field in a ta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so I'm trying to consolidate some searches and one sticking point is that I've got an ugly base search chased by another doing an appendpipe to give me a summary row. Ideally I'd like it to be one search, however, I need to set tokens from the values in the summary but cannot seem to make that happen outside of the separate search.
I know it uses the $result.fieldname$ method and drilldowns use $row.column$. I'm kinda hoping there's a hybrid to specify the row# or last row specifically using the $result.xxx$ style. (If there is, I can 't get the syntax correct...)
<search id="bigolquery">
<query> yadda yadda </query>
</search>
<search id="bigolsumm" base="bigoldquery">
<query>
| appendpipe [ stats sum(fld1) as fld1 sum(fld2) as fld2
| eval fldavg=round(fld1/fld2*100,1)]
</query>
<done>
<set token="fld1val">$result.fld1$</set>
<set token="fld2val">$result.fld2$</set>
<set token="fldavgval">$result.fldavg$</set>
</done>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this:
... | eventstats last(xxx) AS _last_xxx
Then every row has an invisible field called _last_xxx with the last value of xxx so you can then use $result._last_xxx$.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this:
... | eventstats last(xxx) AS _last_xxx
Then every row has an invisible field called _last_xxx with the last value of xxx so you can then use $result._last_xxx$.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfectly. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@htrednek the default token $result.<fieldname>$ fetches the first row of result. So crooked way would be you use | reverse in your subsearch and your last row will become first row. Hence the $result.<fieldname>$ token will access the value from the last row.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using bigolsumm query in any visualization Or it's just for setting the token?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes. It's displayed as part of the table as well as setting the tokens.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok.... as far as I know, you can't set tokens from specific row number in the table. What you can do is create another search which is not used in any visualization but is using base="bigoldquery" and running your appendpipe stats are regular stats. The purpose of this search will be just to set tokens.
<search id="bigolsummtok" base="bigoldquery">
<query>
| stats sum(fld1) as fld1 sum(fld2) as fld2
| eval fldavg=round(fld1/fld2*100,1)
</query>
<done>
<set token="fld1val">$result.fld1$</set>
<set token="fld2val">$result.fld2$</set>
<set token="fldavgval">$result.fldavg$</set>
</done>
</search>
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
