help for catching a field in order to use it in an...

jip31 · ‎09-25-2019

Hi

In the saved search below, I retrieve the field "SITE" because I use a dropdown list in my dashboard in order to filter events by SITE

| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by USERNAME 
| where sent_data < 50 
| lookup XX.csv HOSTNAME as USERNAME output SITE 
| stats dc(USERNAME) as NbSentReceveid 
| appendcols 
    [| inputlookup host.csv 
    | lookup XX.csv HOSTNAME as host output SITE 
    | stats count as NbIndHost] 
| eval Perc=round((NbSentReceveid/NbIndHost)*100,1) 
| table Perc

I called the saved search from my dashboard like this

| loadjob savedsearch="admin:XX:YYY" 
| search SITE=$tok_filtersite|s$

But it doesn't works because I think I "lost" the fields SITE in my saved search after the stats command
Is it true?
I tried to add | table Perc, SITE at the end of my search and to add | fields - SITE at the end of my loadjob command but it doesnt works
What is wrong please??

niketn · ‎09-28-2019

@jip31 yes your stats command is dropping SITE field. Not sure what you are trying to do, but following is a way to retain site and get the distinct count by site.

| stats dc(USERNAME) as NbSentReceveid by SITE

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎09-30-2019

Hi
I cant do "by SITE" because I use a single panel and if I am doing this its not the count which is displayed but the name of the SITE...
So I tried this :
I have had SITE after | table Perc SITE and I put | fields - SITE after | search SITE=$tok_filtersite|s$
is it good? (sorry I cant test it for the moment)

jacobpevans · ‎10-01-2019

Do what @niketnilay said for all of your stats and table commands, and then add this after your | search SITE=$tok_filtersite|s$:

| fields - SITE

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

jip31 · ‎09-28-2019

nobody cant help me please or my question is not clear??

Sukisen1981 · ‎09-29-2019

hi @jip31 - This is confusing and we need some more details. When you run your saved search query as is on the splunk web ui are you getting results for SITE?
As @niketnilay mentions, your stats is dropping out SITE, what output do you receive when you run your saved search query as is?

jip31 · ‎09-30-2019

hi, I have no results so I agree its becauseSITE is dropping out but I find a way to catch this field even if I dont need to display it in my saved search table panel
I just have to catch this field in order to be able to use the dropdown list in my main dashboard which let me to filter by SITE

niketn · ‎09-29-2019

Moved answer to comment so that the question remains unanswered and gets due attention from community Splunkers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

help for catching a field in order to use it in an loadjob command

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!