Possible to set token values without displaying th...

shrutigupta · ‎06-04-2017

So, basically I've a query which ends something like this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count by one_reason | sort -count

So I'm displaying a field called one_reason which can take a value called unknown_failure in which case I want the value of variable uf.
However I can't set token to $uf$
I've been accessing one_reason as $row.one_reason$
Any way to access uf without displaying it?
Thanks!

jkat54 · ‎06-05-2017

http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

This article has all the details you need.

You can create a dynamic drop down that populated the token but even if the user opens the the panel in search, they won't know what search created the token. They will only see the value that was set. That combined with using the _ method woodcock mentioned, should solve your problem.

woodcock · ‎06-04-2017

Believe it or not, YES! It is a little-known fact about Splunk that any field that starts with an underscore character ( _ ) will not be displayed on the Statustics tab but it is still accessible (with the exception of _time which is a very, VERY special field). You can (not) see the invisibility like this:

index=_* 
| stats count BY sourcetype
| sort 0 - count
| streamstats count AS _serial

And then add this to prove that it really is there:

| eval serial=_serial

So do this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count values(uf) AS _uf BY one_reason | sort 0 - count

Or similar and then reference $_uf$

Possible to set token values without displaying them?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...