In the saved search below, I retrieve the field "SITE" because I use a dropdown list in my dashboard in order to filter events by SITE
| stats avg(sent_data) as sent_data avg(received_data) as received_data, values(SITE) as SITE by USERNAME | where sent_data < 50 | lookup XX.csv HOSTNAME as USERNAME output SITE | stats dc(USERNAME) as NbSentReceveid | appendcols [| inputlookup host.csv | lookup XX.csv HOSTNAME as host output SITE | stats count as NbIndHost] | eval Perc=round((NbSentReceveid/NbIndHost)*100,1) | table Perc
I called the saved search from my dashboard like this
| loadjob savedsearch="admin:XX:YYY" | search SITE=$tok_filtersite|s$
But it doesn't works because I think I "lost" the fields SITE in my saved search after the stats command
Is it true?
I tried to add | table Perc, SITE at the end of my search and to add | fields - SITE at the end of my loadjob command but it doesnt works
What is wrong please??
@jip31 yes your stats command is dropping SITE field. Not sure what you are trying to do, but following is a way to retain site and get the distinct count by site.
| stats dc(USERNAME) as NbSentReceveid by SITE
I cant do "by SITE" because I use a single panel and if I am doing this its not the count which is displayed but the name of the SITE...
So I tried this :
I have had SITE after | table Perc SITE and I put | fields - SITE after | search SITE=$tok_filtersite|s$
is it good? (sorry I cant test it for the moment)
Do what @niketnilay said for all of your
table commands, and then add this after your
| search SITE=$tok_filtersite|s$:
| fields - SITE
hi @jip31 - This is confusing and we need some more details. When you run your saved search query as is on the splunk web ui are you getting results for SITE?
As @niketnilay mentions, your stats is dropping out SITE, what output do you receive when you run your saved search query as is?
hi, I have no results so I agree its becauseSITE is dropping out but I find a way to catch this field even if I dont need to display it in my saved search table panel
I just have to catch this field in order to be able to use the dropdown list in my main dashboard which let me to filter by SITE
Moved answer to comment so that the question remains unanswered and gets due attention from community Splunkers.