Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Possible to set token values without displaying them?

shrutigupta
New Member
‎06-04-2017 01:20 PM

So, basically I've a query which ends something like this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count by one_reason | sort -count

So I'm displaying a field called one_reason which can take a value called unknown_failure in which case I want the value of variable uf.
However I can't set token to $uf$
I've been accessing one_reason as $row.one_reason$
Any way to access uf without displaying it?
Thanks!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-05-2017 05:34 AM

http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

This article has all the details you need.

You can create a dynamic drop down that populated the token but even if the user opens the the panel in search, they won't know what search created the token. They will only see the value that was set. That combined with using the _ method woodcock mentioned, should solve your problem.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-04-2017 10:16 PM

Believe it or not, YES! It is a little-known fact about Splunk that any field that starts with an underscore character ( _ ) will not be displayed on the Statustics tab but it is still accessible (with the exception of _time which is a very, VERY special field). You can (not) see the invisibility like this:

index=_* 
| stats count BY sourcetype
| sort 0 - count
| streamstats count AS _serial

And then add this to prove that it really is there:

| eval serial=_serial

So do this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count values(uf) AS _uf BY one_reason | sort 0 - count

Or similar and then reference $_uf$

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...