- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- makeresult token
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am making 5 tokens using below query :
<search>
<query>|makeresults |index=capaplan_wan_ibfs InOut="in"
| eval Device_Interface = orig_host . ":" . Interface
| fields - orig_host Interface
| table Device_Interface LoadDuration
| rex field=Device_Interface "^(?<Device>.*?):(?<Interface>.*)$"
| fields - Device_Interface | dedup Device | sort -LoadDuration | head 5 | table Device| transpose | rename "row 1" as device1 "row 2" as device2 "row 3" as device3 "row 4" as device4 "row 5" as device5
</query>
<earliest>-3mon</earliest>
<latest>now</latest>
<done>
<set token="tokDevice1">$result.device1$</set>
<set token="tokDevice2">$result.device2$</set>
<set token="tokDevice3">$result.device3$</set>
<set token="tokDevice4">$result.device4$</set>
<set token="tokDevice5">$result.device5$</set>
</done>
</search>
Now i want to use these tokens in my next panel query as input like
| mstats max(_value) as "Bits_in_sec" WHERE (metric_name="*in" ) AND (host=$tokDevice1$) by host
But its not getting the input i.e. the token vaule is not getting passed. Pleasehelp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surekhasplunk,
Your search seems to be broken because you are using two generating clause in a row. Please remove makeresults as follows :
<query>index=capaplan_wan_ibfs InOut="in"
| eval Device_Interface = orig_host . ":" . Interface
| fields - orig_host Interface
| table Device_Interface LoadDuration
| rex field=Device_Interface "^(?<Device>.*?):(?<Interface>.*)$"
| fields - Device_Interface | dedup Device | sort -LoadDuration | head 5 | table Device| transpose | rename "row 1" as device1 "row 2" as device2 "row 3" as device3 "row 4" as device4 "row 5" as device5
</query>
Or if you really need to keep the results from makeresults for some reason then you will need to use append:
<query>|makeresults |append [|index=capaplan_wan_ibfs InOut="in"]
| eval Device_Interface = orig_host . ":" . Interface
| fields - orig_host Interface
| table Device_Interface LoadDuration
| rex field=Device_Interface "^(?<Device>.*?):(?<Interface>.*)$"
| fields - Device_Interface | dedup Device | sort -LoadDuration | head 5 | table Device| transpose | rename "row 1" as device1 "row 2" as device2 "row 3" as device3 "row 4" as device4 "row 5" as device5
</query>
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surekhasplunk,
Your search seems to be broken because you are using two generating clause in a row. Please remove makeresults as follows :
<query>index=capaplan_wan_ibfs InOut="in"
| eval Device_Interface = orig_host . ":" . Interface
| fields - orig_host Interface
| table Device_Interface LoadDuration
| rex field=Device_Interface "^(?<Device>.*?):(?<Interface>.*)$"
| fields - Device_Interface | dedup Device | sort -LoadDuration | head 5 | table Device| transpose | rename "row 1" as device1 "row 2" as device2 "row 3" as device3 "row 4" as device4 "row 5" as device5
</query>
Or if you really need to keep the results from makeresults for some reason then you will need to use append:
<query>|makeresults |append [|index=capaplan_wan_ibfs InOut="in"]
| eval Device_Interface = orig_host . ":" . Interface
| fields - orig_host Interface
| table Device_Interface LoadDuration
| rex field=Device_Interface "^(?<Device>.*?):(?<Interface>.*)$"
| fields - Device_Interface | dedup Device | sort -LoadDuration | head 5 | table Device| transpose | rename "row 1" as device1 "row 2" as device2 "row 3" as device3 "row 4" as device4 "row 5" as device5
</query>
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@surekhasplunk, kindly use the formatting (code sample) for readability.
What's the use of makeresults in your search? Are you getting result for your search in your panel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair ,
The use of makeresult is to get the top 5 devices and set them with a token value so that i can use it in my other panel query. And i want to keep the query result hidden as well. so using makeresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@surekhasplunk, you dont need makeresults and more over the search will throw an error.
Try executing the search in a search window and see what you get.
Just remove the |makeresults from your search and you should be getting the token set.
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Makeresults
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
