Solved: How to convert the stats field to string?

jieli · ‎04-21-2020

I used a column of the stats table as a dropdown list, so the dropdown token represents a selected cell. But when I try to do a search using the token variable $tokenname$, it's not a string so I couldn't use it to map with where clause.
Here is the field I want to compare:

mvexpand metrics | spath input=metrics | rename "code" as code

Code is a string jsonfield.

The `where code=$tokenname$ does not work because the token is not a string.

richgalloway · ‎04-21-2020

The |s token suffix will put the token value within quotation marks. For example, where code=$tokenname|s$.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-21-2020

The |s token suffix will put the token value within quotation marks. For example, where code=$tokenname|s$.

---
If this reply helps you, Karma would be appreciated.

atammana_splunk · ‎04-21-2020

Hey @richgalloway - were you able to achieve your desired solution with this?

jieli · ‎04-21-2020

It worked, thanks.
But the subquery does not automatically run when I select another token value from the dropdown. What am I missing?

richgalloway · ‎04-21-2020

Can you share the relevant dashboard code?

---
If this reply helps you, Karma would be appreciated.

jieli · ‎04-24-2020

I added a submit button to manually trigger the update.

richgalloway · ‎04-21-2020

You should ask the OP.

---
If this reply helps you, Karma would be appreciated.

How to convert the stats field to string?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team