Solved: Re: Passing a count to a token used for a label in...

jdbtee · ‎09-19-2014

Hi

I have a single which shows the total assets after a search.

I then want to add a token so that i can use the result of that search to add it a label, to show value /$value$

So the single would show: new

Then in the label it would be: / $tot_bar$ which would really be "/ foo.count"

So the final single would display: new / foo.count

somesoni2 · ‎09-19-2014

Try this

 index="456" | search field2="def" AS new | count(new) AS new | appendcols [search index="123" | search field="abc " AS foo | count(foo) as temp]  | eval final=new."/".temp | fields final

View solution in original post

somesoni2 · ‎09-19-2014

Try this

 index="456" | search field2="def" AS new | count(new) AS new | appendcols [search index="123" | search field="abc " AS foo | count(foo) as temp]  | eval final=new."/".temp | fields final

jdbtee · ‎10-06-2014

Perfect cheers

Passing a count to a token used for a label in Single

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL