Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Access search field for Dashboard title

DerekKing
Path Finder
‎10-06-2016 03:07 AM

Hi All,

I have a search that results in 2 fields, that I would like to use as a single value field in my dashboard, and access the second field as a token to be used in either the panel title, or the single value caption.

As an example - My search ends like

| stats count values(fileName) AS fileName

which results in;
count | fileName
31 | derek.txt

Is there a way to access the filename field as a token? I thought I may just be able to use $result.fileName$, but it appears not. I've also tried $result.fileName$ and then using that as my token in the title, but no joy.

To give you an idea, currently my XML looks like

  <title>$result.fileName$</title>
  <single>
    <title></title>
    <search>
      <query>search .... | stats sum(processCount) AS Processed values(fileName) AS fileName</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="drilldown">none</option>
    <option name="numberPrecision">0</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
    <option name="rangeValues">[0,30,70,100]</option>
    <option name="linkView">search</option>
    <option name="underLabel">$fileName$</option>
  </single>
</panel>

Any thoughts, appreciated.

Derek

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎10-06-2016 03:55 AM

Try the following, where you have to add a little extra to the <search> element to get the fields. See this link for more details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference

Also, your search will currently give you a multi-valued set for fileName (because you use values()). Do you want the single fileName value with the most number of processCount? If so, I would change the search to the following:

search .... | stats sum(processCount) AS Processed by fileName | sort 1 -fileName

  <panel>
  <title>$title$</title>
   <single>
     <search>
       <query>search .... | stats sum(processCount) AS Processed values(fileName) AS fileName</query>
       <done>
        <condition match=" 'job.resultCount' > 0">
            <set token="title">$result.fileName$</set>
            <set token="label">$result.fileName$</set>
        </condition>
        <condition>
            <set token="title">"No Data"</set>
            <set token="label">"No Data"</set>
        </condition>
    </done>
     </search>
     <option name="colorBy">value</option>
     <option name="colorMode">block</option>
     <option name="drilldown">none</option>
     <option name="numberPrecision">0</option>
     <option name="showSparkline">1</option>
     <option name="showTrendIndicator">1</option>
     <option name="trendColorInterpretation">standard</option>
     <option name="trendDisplayMode">absolute</option>
     <option name="unitPosition">after</option>
     <option name="useColors">1</option>
     <option name="useThousandSeparators">1</option>
     <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
     <option name="rangeValues">[0,30,70,100]</option>
     <option name="underLabel">$label$</option>
   </single>
 </panel>

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎10-06-2016 03:55 AM

Try the following, where you have to add a little extra to the <search> element to get the fields. See this link for more details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference

Also, your search will currently give you a multi-valued set for fileName (because you use values()). Do you want the single fileName value with the most number of processCount? If so, I would change the search to the following:

search .... | stats sum(processCount) AS Processed by fileName | sort 1 -fileName

  <panel>
  <title>$title$</title>
   <single>
     <search>
       <query>search .... | stats sum(processCount) AS Processed values(fileName) AS fileName</query>
       <done>
        <condition match=" 'job.resultCount' > 0">
            <set token="title">$result.fileName$</set>
            <set token="label">$result.fileName$</set>
        </condition>
        <condition>
            <set token="title">"No Data"</set>
            <set token="label">"No Data"</set>
        </condition>
    </done>
     </search>
     <option name="colorBy">value</option>
     <option name="colorMode">block</option>
     <option name="drilldown">none</option>
     <option name="numberPrecision">0</option>
     <option name="showSparkline">1</option>
     <option name="showTrendIndicator">1</option>
     <option name="trendColorInterpretation">standard</option>
     <option name="trendDisplayMode">absolute</option>
     <option name="unitPosition">after</option>
     <option name="useColors">1</option>
     <option name="useThousandSeparators">1</option>
     <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
     <option name="rangeValues">[0,30,70,100]</option>
     <option name="underLabel">$label$</option>
   </single>
 </panel>
Reply
Solved! Jump to solution

Gayatri
Explorer
‎08-11-2021 02:03 AM

Hi,

@rjthibod will this work in Splunk version 7.6.0, because I have tried it but it still displays $label$ instead of value. Below is my query where I want to fetch TraWeek and should get used as under label in single value chart. Please help me to achieve this.

<row>
<panel>
<title>Transaction points processed</title>
<single>
<search>
<query>index=* sourcetype=member.csv |dedup TraWeek | eventstats max(TraWeek) as Max_TransWeek|where TraWeek=Max_TransWeek|eval PAM1=round(PointsAmountInMillion,2)|timechart latest(PAM1) as TransactionPoints by TraWeek</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
<done>
<condition match=" 'job.resultCount' > 0">
<set token="title">$result.TraWeek$</set>
<set token="label">$result.TraWeek$</set>
</condition>
<condition>
<set token="title">"No Data"</set>
<set token="label">"No Data"</set>
</condition>
</done>
</search>
<option name="drilldown">all</option>
<option name="numberPrecision">0.00</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="underLabel">$label$</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="unit">M</option>
<option name="underLabel">$label$</option>
</single>
</panel>

0 Karma
Reply
Solved! Jump to solution

DerekKing
Path Finder
‎10-06-2016 09:29 AM

Brilliant Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...