Alternative to using token

tamduong16 · ‎12-15-2017

I have a very complicated dashboard which contains probably more than 20 tokens if I decide to do it this way. I want splunk to run search base on user dropdown value. For example: I have panel 1 which run query abc and panel 2 which run query bcd, panel3, etc. And all of this are different search base on token1. I tried to use (panel depends=token) for 3 panels but it already complicated and slow with 3 panels. I can't imagine having 20 like this. Is there an alternative to using token, like if else, or javascript?

nikita_p · ‎12-19-2017

Hi,
can you try using basesearch for you dashboard in xml? This will help your dashboard run faster as the panels will depend only on one search.
You can check below link for Base Search.
https://answers.splunk.com/answers/502016/base-search-query-for-different-dashboard-panels.html

greggz · ‎12-19-2017

So assuming I got your problem right, this should do the trick. If you have more specifications plz tell me, I assumed some things since you didn't specified everything.

EDIT: Based on a token from a dropdown, all searches will respond to that value.

require([
    'underscore',
    'splunkjs/mvc/searchmanager',
    'splunkjs/mvc',
    'splunkjs/mvc/simplexml/ready!'
], function (_, SearchManager, mvc) {

         var tokens = mvc.Components.get("default");

         mvc.Components.get("my-dropdown-id").on("change", function(this){

        // Manually start the searches when the value of the dropdown changes. 
        firstSearch.startSearch();
        secondSearch.startSearch();
        /* 
        .
        .
        .
        */
    });

    // Create all the searches you want

    var firstSearch = new SearchManager({
            id: "example-search-1",
            earliest_time: "-24h@h",
            latest_time: "now",
            preview: true,
            cache: false,
            autostart: false,
            search: "index=_internal host=$DropDownToken$| stats count by sourcetype" }, {tokens: true});


    var secondSearch = new SearchManager({
            id: "example-search-2",
            earliest_time: "-24h@h",
            latest_time: "now",
            preview: true,
            cache: false,
            autostart: false,
            search: "index=_internal  host=$DropDownToken$| stats count by source" },{tokens:true});

    // Assuming in your panels you have tables you must associate the views to the searches manually

    mvc.Components.get("myTable1").options.managerid = firstSearch;
    mvc.Components.get("myTable2").options.managerid = secondSearch;
}

tamduong16 · ‎12-22-2017

@greggz. Thanks for answering my question. Do you know where I could add this code in Splunk? Which file would it be? I'm new to javascript in Splunk so please excuse my ignorance.

niketn · ‎12-22-2017

@tamduong16, please go through this under 5 minutes of Splunk How To video on Using Javascript in Splunk Dashboards

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

greggz · ‎12-22-2017

@tamduong16 Attention that this might not still be right, I need more specifications of your code to make it fully functional.

You save this in under the directory:

etc/apps/yourApp/appserver/static/myJsFile.js

In Simple XML you do

<form script="myJsFile.js">
..

greggz · ‎12-19-2017

So basically you want 3 or more different searches to run , based on a token that comes from a dropdown ?

tamduong16 · ‎12-22-2017

Yes. Thank you!

greggz · ‎12-22-2017

If you have tokens that you want to include in the searches tell me and I will update the answer accordingly

Alternative to using token

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?