Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dashboard search token
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
im trying to learn about search tokens within the same dashboard, but not having much luck. I've set up a simple test dashboard with two panels, both are tables. I would like a search token defined for search A and used in search B for the RecordNumber field. Is it possible without a field input shown on the dashboard?
Search A:
index="wineventlog" LogName=Security | table EventCode RecordNumber
Search B:
index="wineventlog" LogName=Security RecordNumber=* | dedup RecordNumber| table RecordNumber
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use drilldown in first table like:
<drilldown>
<condition field="RecordNumber">
<set token="selected_RecordNumber">$click.value2$</set>
</condition>
</drilldown>
then use $selected_RecordNumber$ token in second table query like:
index="wineventlog" LogName=Security RecordNumber=$selected_RecordNumber$ | dedup RecordNumber| table RecordNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@becksyboy, intent of your Search A and Search B is not clear.
The Search A in the question returns All Events and All RecorNumbers (even duplicates). What is the purpose or the intent of this?
The Search B returns all unique RecordNumbers.
Please clarify the question as well I would like a search token defined for search A and used in search B for the RecordNumber field. Is it possible without a field input shown on the dashboard?. What do you want to do here?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use drilldown in first table like:
<drilldown>
<condition field="RecordNumber">
<set token="selected_RecordNumber">$click.value2$</set>
</condition>
</drilldown>
then use $selected_RecordNumber$ token in second table query like:
index="wineventlog" LogName=Security RecordNumber=$selected_RecordNumber$ | dedup RecordNumber| table RecordNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rajesh, i could only get this to work if i set search A with the drilldown option name to cell. So if i click on a RecordNumber from the Search A table, the value is shown in the Search B table. Is there a way to dynamically show all the results for the table in Search B>?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dynamically show all the results means? can you explain in detail that on click on table A what you are expecting in tableB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, i was hoping to see my table populated with results for all rows. Is that possible with a search token?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide sample table A and expected table B to get better understanding
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose my example searches are more for a learning/understanding point of view, so perhaps they may not be the best. However, below are the tables i have on my test dashboard. So can a search token power search B to show all rows?
Search A:
EventCode RecordNumber
4624 9000
4624 9000
4624 9000
4624 9001
Search B:
RecordNumber
9000
9001
9002
9003
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basically drilldown can be used to sort the results but here you are expecting full result set with only one column with unique value . so write below query in tableB
index="wineventlog" LogName=Security | dedup RecordNumber| table RecordNumber
but if you want this table B to be shown only after clicking on Table A then you can use depends in <panel>
firstly use below drilldown in tabelA panel:
<drilldown>
<set token="count_field">$click.value$</set>
</drilldown>
and now in second panel use depends:
<panel depends="$count_field$">
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rajesh, this making sense; i'm getting a better understanding of this now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2 i've been reading these docs, very helpful, with alot to pick through and understand.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
