Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard search token

becksyboy
Contributor
‎02-19-2018 12:19 PM

Hi All,

im trying to learn about search tokens within the same dashboard, but not having much luck. I've set up a simple test dashboard with two panels, both are tables. I would like a search token defined for search A and used in search B for the RecordNumber field. Is it possible without a field input shown on the dashboard?

Search A:
index="wineventlog" LogName=Security | table EventCode RecordNumber

Search B:
index="wineventlog" LogName=Security RecordNumber=* | dedup RecordNumber| table RecordNumber

thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-19-2018 06:31 PM

you can use drilldown in first table like:

 <drilldown>
          <condition field="RecordNumber">
            <set token="selected_RecordNumber">$click.value2$</set>
          </condition>
 </drilldown>

then use $selected_RecordNumber$ token in second table query like:

index="wineventlog" LogName=Security RecordNumber=$selected_RecordNumber$ | dedup RecordNumber| table RecordNumber

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-20-2018 09:59 AM

@becksyboy, intent of your Search A and Search B is not clear.

The Search A in the question returns All Events and All RecorNumbers (even duplicates). What is the purpose or the intent of this?

The Search B returns all unique RecordNumbers.

Please clarify the question as well I would like a search token defined for search A and used in search B for the RecordNumber field. Is it possible without a field input shown on the dashboard?. What do you want to do here?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-19-2018 06:31 PM

you can use drilldown in first table like:

 <drilldown>
          <condition field="RecordNumber">
            <set token="selected_RecordNumber">$click.value2$</set>
          </condition>
 </drilldown>

then use $selected_RecordNumber$ token in second table query like:

index="wineventlog" LogName=Security RecordNumber=$selected_RecordNumber$ | dedup RecordNumber| table RecordNumber
0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎02-20-2018 12:23 AM

Thanks Rajesh, i could only get this to work if i set search A with the drilldown option name to cell. So if i click on a RecordNumber from the Search A table, the value is shown in the Search B table. Is there a way to dynamically show all the results for the table in Search B>?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-20-2018 01:10 AM

Dynamically show all the results means? can you explain in detail that on click on table A what you are expecting in tableB

0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎02-20-2018 09:03 AM

Hi, i was hoping to see my table populated with results for all rows. Is that possible with a search token?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-20-2018 09:33 AM

can you provide sample table A and expected table B to get better understanding

0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎02-20-2018 12:47 PM

I suppose my example searches are more for a learning/understanding point of view, so perhaps they may not be the best. However, below are the tables i have on my test dashboard. So can a search token power search B to show all rows?

Search A:
EventCode RecordNumber
4624 9000
4624 9000
4624 9000
4624 9001

Search B:
RecordNumber
9000
9001
9002
9003

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-20-2018 04:56 PM

basically drilldown can be used to sort the results but here you are expecting full result set with only one column with unique value . so write below query in tableB

 index="wineventlog" LogName=Security  | dedup RecordNumber| table RecordNumber

but if you want this table B to be shown only after clicking on Table A then you can use depends in <panel>
firstly use below drilldown in tabelA panel:

<drilldown>
          <set token="count_field">$click.value$</set>
 </drilldown>

and now in second panel use depends:

<panel depends="$count_field$">
0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎02-22-2018 01:39 AM

Thanks Rajesh, this making sense; i'm getting a better understanding of this now.

0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎02-20-2018 12:24 AM

Thanks somesoni2 i've been reading these docs, very helpful, with alot to pick through and understand.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top