I want to use a dropdown to change the field that the stats command function uses in calcuation. my token is called my_token.
example:
index=myindex mysearch | stats dc($my_token$) by mylocation
Is this possible?
Short answer: yes.
Tokens are string-replaced before the search is run, you can use them anywhere in your search.
hi,
it's possible,
try like this with that example using Dropdown
<form>
<fieldset>
<input type="time" token="field1">
<label></label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
<input type="dropdown" token="user" searchWhenChanged="true">
<label>Select a sourcetype:</label>
<choice value="*">ALL</choice>
<choice value="splunkd">splunkd</choice>
<choice value="audittrail">audittrail</choice>
<choice value="scheduler">scheduler</choice>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=* OR index=_* |stats dc($user$) by source</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
</row>
</form>
please forgive my english.
Short answer: yes.
Tokens are string-replaced before the search is run, you can use them anywhere in your search.
If your token value has spaces in it.
Example: "this is the token value"
Then you'll want to put quotes around the token in your stats command.