I don't know that I fully understand your use case but it sounds like you want to use a macro. This would allow you to pass a field to it in the course of your search and have a standard output. In your macro you can put pipes and all that business but if it is a one command macro I tend to not do that and put the pipe in the search as it looks more natural.
Macro
Name: getSomeFieldValue(1) #you need to put a number in the name like this for each field you are going to pass
Definition: eval fieldValue = $somefield$
Arguments: somefield
When you call the macro in the query you will need to start and end it with left ticks (not single quotes; usually left of the 1 key)
sourcetype=foo bar=* | `getSomeFieldValue(bar)` | stats count by fieldValue
Hi,
If the field name is known upfront, then above solution work fine. But, if the field name is coming from dashboard user, then we dont have any direct way of fetching the field by using string token. e.g. following is the incidents occured in last 5 months.
Jan | Feb | Mar | Apr | May
20 | 15 | 8 | 17 | 22
Now, the user can select any one of the month and it will be copied in a field "selectedMonth". What ever is the month selected, i.e. Mar, we want to pull the information from "Mar" field and display it to user.
This is just an example. Using a custom search command, this can be achieved very easily, but wanted to check if this is already supported in SPL.
Thanks!!
I wondered if that was the overarching use case. The solution options somewhat depends on the version of Splunk you are running. I suggest downloading an app called Splunk Dashboard Examples which will show you how to achieve what you are after. Up through 6.1 you can control the drill down behavior so that if a user clicks elements on a dashboard panel they would open a new dashboard with values from whatever they clicked on the first (passing a token). In 6.2 you are able to pass those tokens to other panels within the same dashboard. I'd give you an example but the example app is REALLY well done IMO and covers this well.
Hello! How a bout just give the value of fieldName directly to fieldValue?
..|eval fieldValue=FieldName
Notice that i did not use "FieldName "
In some cases, we don't know what FieldName we want to search for. FieldName token is not available upfront.