Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Possible to set token values without displaying them?

shrutigupta
New Member
‎06-04-2017 01:20 PM

So, basically I've a query which ends something like this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count by one_reason | sort -count

So I'm displaying a field called one_reason which can take a value called unknown_failure in which case I want the value of variable uf.
However I can't set token to $uf$
I've been accessing one_reason as $row.one_reason$
Any way to access uf without displaying it?
Thanks!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-05-2017 05:34 AM

http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

This article has all the details you need.

You can create a dynamic drop down that populated the token but even if the user opens the the panel in search, they won't know what search created the token. They will only see the value that was set. That combined with using the _ method woodcock mentioned, should solve your problem.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-04-2017 10:16 PM

Believe it or not, YES! It is a little-known fact about Splunk that any field that starts with an underscore character ( _ ) will not be displayed on the Statustics tab but it is still accessible (with the exception of _time which is a very, VERY special field). You can (not) see the invisibility like this:

index=_* 
| stats count BY sourcetype
| sort 0 - count
| streamstats count AS _serial

And then add this to prove that it really is there:

| eval serial=_serial

So do this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count values(uf) AS _uf BY one_reason | sort 0 - count

Or similar and then reference $_uf$

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...