Splunk Search

Passing a count to a token used for a label in Single

jdbtee
Path Finder

Hi

I have a single which shows the total assets after a search.

I then want to add a token so that i can use the result of that search to add it a label, to show value /$value$

so: index="123" | search field="abc " AS foo | count(foo) AS $tkn_bar$ | [search index="456" | search field2="def" AS new | count(new) AS new | fields new

So the single would show: new

Then in the label it would be: / $tot_bar$ which would really be "/ foo.count"

So the final single would display: new / foo.count

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

 index="456" | search field2="def" AS new | count(new) AS new | appendcols [search index="123" | search field="abc " AS foo | count(foo) as temp]  | eval final=new."/".temp | fields final

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

 index="456" | search field2="def" AS new | count(new) AS new | appendcols [search index="123" | search field="abc " AS foo | count(foo) as temp]  | eval final=new."/".temp | fields final

jdbtee
Path Finder

Perfect cheers

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...