Splunk Dev

Can we save output of a table in different tokens?

New Member

Can we save output of a table in different tokens?

The output of Splunk query is a table.
Can i save all results in different tokens?

Example: (Output of Splunk query)
Row Count_by_values
1 123
2 4567
3 5896
4 4573
5 3512

Here, can i store all values(123, 4567, 5896, 4573, 3512) in 5 different tokens?

Tags (2)
0 Karma


@srujan0009 there could be multiple options to do this but depending on several things like:
1) What you want to do afterwards once you have the results from above table?
2) Are there always five values or can the number of results differ?

Please add more details for the community members to help.

Following are the three options I can think of:

1) Use Post Processing to reuse the search to initial further processing on existing results
2) Use the Search job Id (thorough addinfo command or $job.sid$built in search job token) to load the job results using loadjob command and perform further actions on results
3) You can use transpose command to convert rows to column and fetch the default search job token for each result in the first row using <done> or <progress> search event handler through $result.fieldname$ token.
4) If you are on 6.6. or higher Trellis can be used to break up row level data to visualizations like Single Value, Gauges etc.

Following is a run anywhere example for Option 3 with transpose command which assumes there are only 5 rows in all the cases:

  <label>Token for each row value</label>
  <!-- Dumy Search to perform transpose on original search for table-->
  <search base="baseSearch">
    <query>|  transpose 5 header_field=Row
|  rename "*" as "Field_*"
      <set token="tokField1">$result.Field_1$</set>
      <set token="tokField2">$result.Field_2$</set>
      <set token="tokField3">$result.Field_3$</set>
      <set token="tokField4">$result.Field_4$</set>
      <set token="tokField5">$result.Field_5$</set>
        <search id="baseSearch">
          <query>|  makeresults
|  fields - _time
|  eval data="1 123;2 4567;3 5896;4 4573;5 3512"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=" "
|  eval Row=mvindex(data,0), Count_by_values=mvindex(data,1)
|  fields - data, _*
|  table Row Count_by_values</query>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
            <li>tokField1: $tokField1$</li>
            <li>tokField2: $tokField2$</li>
            <li>tokField3: $tokField3$</li>
            <li>tokField4: $tokField4$</li>
            <li>tokField5: $tokField5$</li>
| makeresults | eval message= "Happy Splunking!!!"
0 Karma


If you could share about your actual requirement .. we can try some different solution.. because the requirement in your question is not like a good approach for any problem.solution..

Now the Answer for your question is NO,

Because, Using simple xml we can populate the splunk tokens only using the fields in the last row of the result.

0 Karma

Path Finder

I cannot understand what you are trying to do... Can you explain and provide more info?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...