Hi all, I am trying to figure out a way to, based on the data available in the table below, add a column to the Yesterday and Last Week's tables with the delta between the values: The que...
See more...
Hi all, I am trying to figure out a way to, based on the data available in the table below, add a column to the Yesterday and Last Week's tables with the delta between the values: The queries in the panels are simple stats counts grouped by Site (BDC or SOC) with the addtotals command specified. To display the values for yesterday and last week I am using time shifts within the query. As an example, this is the "yesterday's" timeshift: [| makeresults
| addinfo
| eval earliest=info_min_time - 86400
| eval latest=info_max_time - 86400
| table earliest latest] I need to add a column in both the Yesterday and LastWeek's tables that shows the volume's delta in comparison with Today. I am trying to pass the results of the first query as a token so I can reference it in the other queries and use eval to calculate the delta, but I can't make it work. This is the line I have added to the JSON to pass the result as a token: "eventHandlers": [
{
"type": "action.setToken",
"options": {
"tokens": {
"todayVolume": "$result.Count$"
}
}
}
], When I try this approach, Splunk complains about the token "$result.Count$" hasn't been set. I was also exploring the idea of using chain searches, but I think Dynamic Tokens are a cleaner more efficient solution. I'd appreciate if I could some assistance with figuring this out. Thank you in advance.