How to use tokens in same search query?

knalla · ‎07-29-2019

Hello,

I'm trying to pass values of field to other field. Is there a best way to do it?

Query:

I'm trying to pass user value to owner.

gcusello · ‎07-29-2019

Hi knalla,
let me understand: $result.user$ token arrives from a dropdown input?
what's "modifyincidents"? it isn't a command.
Anyway, if you want to assign a token's value to a field, you can use the eval command:

index=alerts status=resolved 
| dedup incident_id
|table incident_id user 
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id
| search owner=unassigned 
| eval owner="$result.user$"

The table command in the middle of a search it isn't useful, if you want to limit the fields that your search uses, use the fields command.

Bye.
Giuseppe

How to use tokens in same search query?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring

Join the Conversation

How to use tokens in same search query?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring