Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on issue between a loadjob savedsearch and a

jip31
Motivator
‎08-22-2019 11:31 PM

hi

I called a scheduled from my dashboard

| loadjob savedsearch="admin:XX:Hardware - Battery cycle pie" 
| search Site=$tok_filtersite|s$

I have an issue with | search Site=$tok_filtersite|s$ because with it I have no results in my dashboard but if I delete it I have results

My search is this one :

| inputlookup tablet_host.csv 
| lookup toto.csv "Hostname00" as host OUTPUT CycleCount00 
| where CycleCount00 > 200 
| lookup titi.csv HOSTNAME as host output SITE 
| stats count as NbHostCycleSup300 
| appendcols 
    [| inputlookup host.csv 
    | stats count as NbIndHost] 
| eval NbHostCycleInf300 = (NbIndHost - NbHostCycleSup300) 
| eval NbHostCycleSup300=NbHostCycleSup300, NbHostCycleInf300=NbHostCycleInf300 
| table NbHostCycleSup300 NbHostCycleInf300 SITE
| rename NbHostCycleSup300 as "> 300", NbHostCycleInf300  as "< 300", SITE as Site
| transpose

So why when I add | search Site=$tok_filtersite|s$ I have no results?
thanks

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2019 06:05 AM

You get no results with | search Site=$tok_filtersite|s$ because it's searching for something that doesn't exist. There is no tok_filtersite token defined.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2019 06:05 AM

You get no results with | search Site=$tok_filtersite|s$ because it's searching for something that doesn't exist. There is no tok_filtersite token defined.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-26-2019 02:00 AM

I dont understant what you mean because I retrieve the fields Site like this:
| lookup titi.csv HOSTNAME as host output SITE
| rename SITE as Site

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-28-2019 06:05 AM

That gives you a field called 'Site', not one called 'tok_filtersite'. Try | search Site=$Site|s$.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-29-2019 01:18 AM

tok_filtersite is the token value of a dropdown list
In this dropdown list I retrieve the field SITE from a csv file
So when i am doing | search Site=$tok_filtersite|s$ its for doing a search from the Site valuz i have selected in my dropdown list

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2019 05:26 AM

Thanks for the explanation.
Have you looked at the output following transpose? I believe you will not have a Site field after that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-03-2019 01:03 AM

thanks for your help

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...