Splunk Search

How to use tokens in same search query?

knalla
Path Finder

Hello,

I'm trying to pass values of field to other field. Is there a best way to do it?

Query:

index=alerts status=resolved | dedup incident_id|table incident_id user
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id|search owner=unassigned |modifyincidents owner="$result.user$"

I'm trying to pass user value to owner.

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi knalla,
let me understand: $result.user$ token arrives from a dropdown input?
what's "modifyincidents"? it isn't a command.
Anyway, if you want to assign a token's value to a field, you can use the eval command:

index=alerts status=resolved 
| dedup incident_id
|table incident_id user 
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id
| search owner=unassigned 
| eval owner="$result.user$"

The table command in the middle of a search it isn't useful, if you want to limit the fields that your search uses, use the fields command.

Bye.
Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...