Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to to take a specific 'cell' result and assign it as a token?

lennys26
Communicator
‎08-05-2022 07:26 AM

I have a query that returns multi-row and multi-column results. I want to be able to take a specific 'cell' result and assign it as a token.

I have done this with a single row table, using <set token="foo">$result.TYPE1$</set>, but cant get the syntax for a multi-row table.

For example, given the below, I want to tokenize the value chevy.

VEHICLE TYPE1 TYPE2
MOTO harley honda
CAR chevy oldsmobile
TRUCK fire garbage

 

I thought $result.CAR.TYPE1$ would do it, but nope. (To be fair, this problem has plagued my life for some time, but I have finally gotten to the point to ask).

This is not a drilldown or click.value, but a chart (results) that I want to pull out the specific value returned. 

Tags (2)
0 Karma
Reply

martinpu
Communicator
‎08-05-2022 09:48 AM

| eventstats values(TYPE1) as _TYPE1_values 
| eval _TYPE1_values=mvjoin(_TYPE1_values ," ")

And then set the value in the token:
 <set token="foo">$result._TYPE1_values$</set>

I'm not sure if this is the answer you are looking for but it is a kind of a hacky way of getting the values in one token. What do you plan to use the token values for?

0 Karma
Reply

lennys26
Communicator
‎08-08-2022 01:24 AM

To clarify a bit, let me give some additional info...

I am creating a dashboard where I will show the top 3 users in 4 different environments, then I will run specific queries against each of those users. I can run 3 independent searches, one for each environment to produce the below and then tokenize them, using  <set token="top_hit1">$result.first$</set>, etc.

Search1

environmentcol1col2col3col4
productiontop_user1top_user2top_user3top_user4

 

Search2

environmentcol1col2col3col4
non-productiontop_user1top_user2top_user3top_user4

 

Search3

environmentcol1col2col3col4
labtop_user1top_user2top_user3top_user4

 

BUT, to make things a bit cleaner, I prefer to put this all in one table, and using appendcols and a transpose, produce a 3 row x 3 column stats table.

environmentcol1col2col3col4
production top_user1top_user2top_user3top_user4
non-production top_user1top_user2top_user3top_user4
lab top_user1top_user2top_user3top_user4

 

I want to be able to tokenize each one individually so that I can, for example, run a query against the username who is lab top_user3.

SO, i am not looking to join fields, but rather tokenize the values of a specific field. I would think it would be something that I would like $result.lab.col3$ but it is not  🤔

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...