Not sure if we are allowed to answer our own questions but I thought I'd add this incase someone else is trying to do the same thing.
The trick was to reformat the data into a single row with the column names being your "keys."
Once your data is in this format you can create as many tokens as you want and eval can be used to handle the case where a key was not generated for the specific search.
`
if($result.key_AB$!=0,$result.key_AB$,0)
if($result.key_AC$!=0,$result.key_AC$,0)
`
... View more
@niketnilay This wouldn't be a dilldown search, it would run in the background to generate a number of tokens. It works fine for a single token doing the below, but I want to be able to specify a more complicated token target.
<set token="field_1">$result.field_1$</set>
... View more
Good Morning.
I'm trying to populate an HTML page using the results of a search. To do this, I've been creating tokens from the output of each search then putting those in the HTML. The output of one of my searches is a table. is there a way to select a specific box in the table to use as a token?
Example
header_1, header_2, value
A, B, 5
A, C, 6
<set token="token_a_b">results.header_1=A.header_2=B</set>
... View more
The original example I posted is non-continuous, but another example of values that could be in Range would be: '1536695705-1536868507, 1536954904-1537214108'
... View more
Okay there must be something else going on then, I do sub searches like this quite frequently though not with _raw. Check out the docs here for more info on sub searches:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchTutorial/Useasubsearch
... View more
Make sure you are not using operators before the search. For example, you posted this
index=A AND source="wineventlog:setup" _raw!=[search index=B AND source="wineventlog:setup" | dedup _raw]
But try this instead
index=A AND source="wineventlog:setup" [search index=B AND source="wineventlog:setup" | dedup _raw | table _raw]
... View more
Hey thanks for the response, unfortunately my ranges can be anywhere from 0 to 50 values so this will not work. Additionally, they may not be continuous so only looking if the number is between the first start and the last end may miss some values.
... View more
If your events have a unique ID field then you use a search to filter the events.
index=A NOT [search index=B | table ID]
If you do not have an ID field you can simply list all the fields.
index=A NOT [search index=B | table Field1, Field2, Field3]
If there is no difference between the events you can also do this.
index=A NOT [search index=B]
... View more
Hello!
Is there a way to check if a number is between a list of ranges in a multi value field?
For example on this table, I would want to create a new true/false field based on if "Value" is between one of the values in the Ranges column. I know this should be possible with mvexpand but that would get quite verbose especially if there were multiple sets of Ranges.
I tried looking but I couldn't find a 'for each' equivalent for multi value fields though maybe there is something I missed.
Thanks for the help!
... View more