Splunk Search

Possible to set token values without displaying them?

shrutigupta
New Member

So, basically I've a query which ends something like this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count by one_reason | sort -count

So I'm displaying a field called one_reason which can take a value called unknown_failure in which case I want the value of variable uf.
However I can't set token to $uf$
I've been accessing one_reason as $row.one_reason$
Any way to access uf without displaying it?
Thanks!

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

This article has all the details you need.

You can create a dynamic drop down that populated the token but even if the user opens the the panel in search, they won't know what search created the token. They will only see the value that was set. That combined with using the _ method woodcock mentioned, should solve your problem.

0 Karma

woodcock
Esteemed Legend

Believe it or not, YES! It is a little-known fact about Splunk that any field that starts with an underscore character ( _ ) will not be displayed on the Statustics tab but it is still accessible (with the exception of _time which is a very, VERY special field). You can (not) see the invisibility like this:

index=_* 
| stats count BY sourcetype
| sort 0 - count
| streamstats count AS _serial

And then add this to prove that it really is there:

| eval serial=_serial

So do this:

| eval uf = if(like(one_reason, "%unknown_failure%"), uf.thread_id, uf) 
| stats count values(uf) AS _uf BY one_reason | sort 0 - count

Or similar and then reference $_uf$

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...