Splunk Search

How to pass a variable value from one search to another in advance xml?

harshal_chakran
Builder

Hi,
Following is the advance xml code, where I have defined a search command in a postprocess module and want to pass a variable from this command to another nested search.

<module name="PostProcess" layoutPanel="panel_row1_col1">
  <param name="search">|inputcsv filename.csv |table titlehead||head 1|rename titlehead as title|table title| eval result= "The result of final calc is:" + title|table result</param> 

  <module name="ResultsValueSetter">
    <param name="fields">title </param>

    <module name="HTML" layoutPanel="panel_row1_col1">
      <param name="html"><![CDATA[ 
        <table cellpadding="4" cellspacing="0" style="width: auto;font-size:20px;">
          <tr>
            <th align="left">
             $title$
            </th>
          </tr> 
        </table>  
      ]]></param>
    </module>
    <module name="Search" layoutPanel="panel_row1_col1">
      <param name="search"><![CDATA[
         |inputcsv detailedfile.csv |table xyz|head 1| eval result = xyz + $title$

      ]]></param>

      <module name="Pager">
        <param name="count">100</param>

        <module name="Table" ></module>
      </module>

    </module>
  </module> 
</module>`

I am using ResultValueSetter in this, it gives the answer only when the title comes as the final result of first search command. I am not able to to call $title$ in the second search command.

Please Help...!!!

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

You want to remove the |table result on the end of your postprocess search, or at least change it to say |table result title. The way it is now you are throwing the title field away and thus ResultsValueSetter wont be able to pull it down.

You can also specify multiple fields in the ResultsValueSetter module's "fields" param so one way to read your question is that you're trying to do

<param name="fields">title, result</param>

and that would allow you to use both $title$ and $result$ however you like. Again you do need to make sure that both of those fields are present in the first row of the results.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

You want to remove the |table result on the end of your postprocess search, or at least change it to say |table result title. The way it is now you are throwing the title field away and thus ResultsValueSetter wont be able to pull it down.

You can also specify multiple fields in the ResultsValueSetter module's "fields" param so one way to read your question is that you're trying to do

<param name="fields">title, result</param>

and that would allow you to use both $title$ and $result$ however you like. Again you do need to make sure that both of those fields are present in the first row of the results.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The name of the field returned by first query is 'result' (after table command) and field name that you are using elsewhere is 'title'. I would correct that first and than try.

0 Karma

harshal_chakran
Builder

but that is the issue, I want the "result" to display the output on ui, plus pass the value of "title" (which is in between the search command).
Is there any alternative to ResultValueSetter?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...