Splunk Search

How do I get data from a stats table to send as a token?

jadengoho
Builder

Hi ,
I have a table with a single data value inside.

  |makeresults 
   |eval value=1

I just want to get the value "1" and send as a token after the table completely finish.

Currently, i can get the data but only when i click the field.

Thanks in advance

Tags (2)
0 Karma
1 Solution

renjith_nair
Legend

@jadengoho ,
You can add a event based token on the completion of search of table by using done.
E.g.

<dashboard>
  <label>Auto Load Of Token</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval value=1</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
            <set token="value_token">$result.value$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>|makeresults|eval mytoken=$value_token$</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:

View solution in original post

0 Karma

renjith_nair
Legend

@jadengoho ,
You can add a event based token on the completion of search of table by using done.
E.g.

<dashboard>
  <label>Auto Load Of Token</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval value=1</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
            <set token="value_token">$result.value$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>|makeresults|eval mytoken=$value_token$</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

overratedkungmi
New Member
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...