Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to to take a specific 'cell' result and assign it as a token?

lennys26
Communicator
‎08-05-2022 07:26 AM

I have a query that returns multi-row and multi-column results. I want to be able to take a specific 'cell' result and assign it as a token.

I have done this with a single row table, using <set token="foo">$result.TYPE1$</set>, but cant get the syntax for a multi-row table.

For example, given the below, I want to tokenize the value chevy.

VEHICLE TYPE1 TYPE2
MOTO harley honda
CAR chevy oldsmobile
TRUCK fire garbage

 

I thought $result.CAR.TYPE1$ would do it, but nope. (To be fair, this problem has plagued my life for some time, but I have finally gotten to the point to ask).

This is not a drilldown or click.value, but a chart (results) that I want to pull out the specific value returned. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

martinpu
Communicator
‎08-05-2022 09:48 AM

| eventstats values(TYPE1) as _TYPE1_values 
| eval _TYPE1_values=mvjoin(_TYPE1_values ," ")

And then set the value in the token:
 <set token="foo">$result._TYPE1_values$</set>

I'm not sure if this is the answer you are looking for but it is a kind of a hacky way of getting the values in one token. What do you plan to use the token values for?

0 Karma
Reply

lennys26
Communicator
‎08-08-2022 01:24 AM

To clarify a bit, let me give some additional info...

I am creating a dashboard where I will show the top 3 users in 4 different environments, then I will run specific queries against each of those users. I can run 3 independent searches, one for each environment to produce the below and then tokenize them, using  <set token="top_hit1">$result.first$</set>, etc.

Search1

environmentcol1col2col3col4
productiontop_user1top_user2top_user3top_user4

 

Search2

environmentcol1col2col3col4
non-productiontop_user1top_user2top_user3top_user4

 

Search3

environmentcol1col2col3col4
labtop_user1top_user2top_user3top_user4

 

BUT, to make things a bit cleaner, I prefer to put this all in one table, and using appendcols and a transpose, produce a 3 row x 3 column stats table.

environmentcol1col2col3col4
production top_user1top_user2top_user3top_user4
non-production top_user1top_user2top_user3top_user4
lab top_user1top_user2top_user3top_user4

 

I want to be able to tokenize each one individually so that I can, for example, run a query against the username who is lab top_user3.

SO, i am not looking to join fields, but rather tokenize the values of a specific field. I would think it would be something that I would like $result.lab.col3$ but it is not  🤔

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...