Splunk Search

How do you set multiple tokens from the output of a search?

charlesmcdonald
Path Finder

Good Morning.

I'm trying to populate an HTML page using the results of a search. To do this, I've been creating tokens from the output of each search then putting those in the HTML. The output of one of my searches is a table. is there a way to select a specific box in the table to use as a token?

Example
header_1, header_2, value
A, B, 5
A, C, 6

<set token="token_a_b">results.header_1=A.header_2=B</set>

0 Karma
1 Solution

charlesmcdonald
Path Finder

Not sure if we are allowed to answer our own questions but I thought I'd add this incase someone else is trying to do the same thing.

The trick was to reformat the data into a single row with the column names being your "keys."
Once your data is in this format you can create as many tokens as you want and eval can be used to handle the case where a key was not generated for the specific search.

`
if($result.key_AB$!=0,$result.key_AB$,0)
if($result.key_AC$!=0,$result.key_AC$,0)

`

View solution in original post

charlesmcdonald
Path Finder

Not sure if we are allowed to answer our own questions but I thought I'd add this incase someone else is trying to do the same thing.

The trick was to reformat the data into a single row with the column names being your "keys."
Once your data is in this format you can create as many tokens as you want and eval can be used to handle the case where a key was not generated for the specific search.

`
if($result.key_AB$!=0,$result.key_AB$,0)
if($result.key_AC$!=0,$result.key_AC$,0)

`

richgalloway
SplunkTrust
SplunkTrust

@charlesmcdonald If your problem is resolved, please accept the answer to help future readers. Yes, you are allowed to accept your own answers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

niketn
Legend

@charlesmcdonald for the tabular data in your question, what are the two values you want to set as token when a table cell is clicked?

You can check out Splunk Documentation for enabling Table Drilldown: http://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

charlesmcdonald
Path Finder

@niketnilay This wouldn't be a dilldown search, it would run in the background to generate a number of tokens. It works fine for a single token doing the below, but I want to be able to specify a more complicated token target.

<set token="field_1">$result.field_1$</set>

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...