Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use tokens in same search query?

knalla
Path Finder
‎07-29-2019 07:49 AM

Hello,

I'm trying to pass values of field to other field. Is there a best way to do it?

Query:

index=alerts status=resolved | dedup incident_id|table incident_id user
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id|search owner=unassigned |modifyincidents owner="$result.user$"

I'm trying to pass user value to owner.

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2019 08:07 AM

Hi knalla,
let me understand: $result.user$ token arrives from a dropdown input?
what's "modifyincidents"? it isn't a command.
Anyway, if you want to assign a token's value to a field, you can use the eval command:

index=alerts status=resolved 
| dedup incident_id
|table incident_id user 
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id
| search owner=unassigned 
| eval owner="$result.user$"

The table command in the middle of a search it isn't useful, if you want to limit the fields that your search uses, use the fields command.

Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...