How to use tokens in same search query?

knalla · ‎07-29-2019

Hello,

I'm trying to pass values of field to other field. Is there a best way to do it?

Query:

I'm trying to pass user value to owner.

gcusello · ‎07-29-2019

Hi knalla,
let me understand: $result.user$ token arrives from a dropdown input?
what's "modifyincidents"? it isn't a command.
Anyway, if you want to assign a token's value to a field, you can use the eval command:

index=alerts status=resolved 
| dedup incident_id
|table incident_id user 
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id
| search owner=unassigned 
| eval owner="$result.user$"

The table command in the middle of a search it isn't useful, if you want to limit the fields that your search uses, use the fields command.

Bye.
Giuseppe

How to use tokens in same search query?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to use tokens in same search query?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases