All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Token-based visualization in Splunk Mobile

Wiessiet
Path Finder
‎07-14-2025 01:16 PM

I am at my wits end trying to figure this out. I have Splunk Secure Gateway deployed and I'm successfully receiving push alerts via the "Send to Splunk Mobile" alert trigger action. This trigger action has the option to set a visualization, which I have picked, along with a "Token name" and "Result Fieldname" to pre-populate the dashboard visualization based on the alert that has just run. This is the piece I cannot seem to get working.

I'm able to dynamically set the alert title in the mobile app by using

$result.user$

(user is the field in the Alert search that I'm interested in). I cannot seem to get that value into my dashboard, however. The visualization shows up inline with the search but it is not populated with data. I'm setting:

Token Name: netidToken
Result Fieldname: $result.user$

The dashboard that I'm linking to has an input with a token called "netidToken". This functionality works when calling it via URL, but it passes nothing to the dashboard in the mobile app, so clicking the "View dashboard" button on the alert just opens an empty dashboard. The Splunk documentation around this is woefully incomplete and never really explains the specifics of using these settings. Any insight would be appreciated!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Wiessiet
Path Finder
‎07-14-2025 02:56 PM

Ok, a bit more information. I'm admittedly running a slightly older version of Splunk (9.2.6); I'm not sure if this issue is fixed in subsequent versions.

It seems like the mobile alert visualization simply doesn't populate the token properly. I augmented my dashboard with a search block like this:

<query>| makeresults
| eval formToken="$form.netidToken$", notFormToken="$netidToken$"
| table formToken notFormToken</query>

In the web, both of those values get populated from the input field with the 'netidToken' setting. In mobile, the form.netidToken call doesn't work at all, and the netidToken value is initially populated by the literal text "$netidToken$". After manually entering a value into the tokenized input, it updates correctly, but never gets populated when being called from the alert itself.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-15-2025 03:24 AM

Hi @Wiessiet 

I went down a rabbithole trying to get this to work last night but unfortunately didnt end up with any progress. Ultimately I dont think it is possible to pass params to the dashboard via the "View Dashboard" link. 

I did manage to get the token working in the dashboard display which appears when you click the alert, but I assume you're wanting it to follow into the View Dashboard button? 

I agree with you re the docs - not a lot of info or examples!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

Wiessiet
Path Finder
‎07-16-2025 06:49 AM

would you be able to share your configuration that passed the token to that initial view? I can't get that to work either.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-16-2025 08:08 AM

Hey @Wiessiet 

I will try and screenshot this and work through it this evening and get back to you on here as I dont currently have access to the env I set it up on.

 

0 Karma
Reply
Solved! Jump to solution

Wiessiet
Path Finder
‎07-15-2025 05:53 AM

Thanks @livehybrid , I appreciate the confirmation that this isn't as striaghtforward as it looks like it should be. I don't understand why they have this obvious feature which *looks* like it should be easy to use, only it doesn't work. 

When you got it working in the inline view, are you using a classic or dashboard studio dashboard? I originally tried this with dashboard studio and couldn't even get it to display at all - it just throws errors in the mobile client and on the gateway. My inline dashboard (even set to classic) won't work either - it just never seems to pick up the token required to get it to display any data.

I'm going to experiment with a couple more things and then maybe open a ticket and just figure out a work-around. Unless I come up with something better I'll mark your post as the solution.

0 Karma
Reply
Solved! Jump to solution
Solution

Wiessiet
Path Finder
‎07-14-2025 02:56 PM

Ok, a bit more information. I'm admittedly running a slightly older version of Splunk (9.2.6); I'm not sure if this issue is fixed in subsequent versions.

It seems like the mobile alert visualization simply doesn't populate the token properly. I augmented my dashboard with a search block like this:

<query>| makeresults
| eval formToken="$form.netidToken$", notFormToken="$netidToken$"
| table formToken notFormToken</query>

In the web, both of those values get populated from the input field with the 'netidToken' setting. In mobile, the form.netidToken call doesn't work at all, and the netidToken value is initially populated by the literal text "$netidToken$". After manually entering a value into the tokenized input, it updates correctly, but never gets populated when being called from the alert itself.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...