Re: Pass stats count value from a search command t...

dojiepreji · ‎02-18-2019

Hello all,

Is there a way to pass the number derived from stats count to a token?

I need to make an HTML panel consisting of text like so:

Incident
New VS. Resolved
o   42 new incidents
o   54 resolved incidents (all P3 and P4s)

Values 42 and 54 come from search queries like so:

For 42:
| search status="*"
| stats count(ticket) as New

For 54:
| search status="Resolved"
| stats count(ticket) as Resolved

Is there a way to pass the values of New and Resolved from the search queries to tokens in the dashboard so I can display it inside my HTML panel?

vnravikumar · ‎02-18-2019

Hi @dojiepreji

Try like

       <search>
          <query>your query......| search status="*"
                | stats count(ticket) as New</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <set token="new_incident">$result.New$</set>
            </condition>
          </done>
        </search>

vnravikumar · ‎02-19-2019

@dojiepreji, have you tried?

vnravikumar · ‎02-21-2019

Any update?

woodcock · ‎02-18-2019

Sure, with the eval token here:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML

Pass stats count value from a search command to a token, and display tokens in an HTML panel

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...