- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to pass a variable value from one search to an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Following is the advance xml code, where I have defined a search command in a postprocess module and want to pass a variable from this command to another nested search.
<module name="PostProcess" layoutPanel="panel_row1_col1">
<param name="search">|inputcsv filename.csv |table titlehead||head 1|rename titlehead as title|table title| eval result= "The result of final calc is:" + title|table result</param>
<module name="ResultsValueSetter">
<param name="fields">title </param>
<module name="HTML" layoutPanel="panel_row1_col1">
<param name="html"><![CDATA[
<table cellpadding="4" cellspacing="0" style="width: auto;font-size:20px;">
<tr>
<th align="left">
$title$
</th>
</tr>
</table>
]]></param>
</module>
<module name="Search" layoutPanel="panel_row1_col1">
<param name="search"><![CDATA[
|inputcsv detailedfile.csv |table xyz|head 1| eval result = xyz + $title$
]]></param>
<module name="Pager">
<param name="count">100</param>
<module name="Table" ></module>
</module>
</module>
</module>
</module>`
I am using ResultValueSetter in this, it gives the answer only when the title comes as the final result of first search command. I am not able to to call $title$ in the second search command.
Please Help...!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to remove the |table result on the end of your postprocess search, or at least change it to say |table result title. The way it is now you are throwing the title field away and thus ResultsValueSetter wont be able to pull it down.
You can also specify multiple fields in the ResultsValueSetter module's "fields" param so one way to read your question is that you're trying to do
<param name="fields">title, result</param>
and that would allow you to use both $title$ and $result$ however you like. Again you do need to make sure that both of those fields are present in the first row of the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to remove the |table result on the end of your postprocess search, or at least change it to say |table result title. The way it is now you are throwing the title field away and thus ResultsValueSetter wont be able to pull it down.
You can also specify multiple fields in the ResultsValueSetter module's "fields" param so one way to read your question is that you're trying to do
<param name="fields">title, result</param>
and that would allow you to use both $title$ and $result$ however you like. Again you do need to make sure that both of those fields are present in the first row of the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The name of the field returned by first query is 'result' (after table command) and field name that you are using elsewhere is 'title'. I would correct that first and than try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but that is the issue, I want the "result" to display the output on ui, plus pass the value of "title" (which is in between the search command).
Is there any alternative to ResultValueSetter?
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
