Dashboards & Visualizations

Explain how tokens work and define types of token filters?

Engager

Hi,
I'm preparing for the certification exam and i would appreciate the answer with examples.

Thank you

0 Karma
1 Solution

Motivator

Tokens

Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.

In a search, token name syntax uses $...$ delimiters. For example, if you define a form input token as field_tok, you can specify the token in a search as $field_tok$. Here is an example.

<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>

Token filters

Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$

This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

The following code snippet uses the |s filter to place quotation marks around the value returned from a token:

<search>
  <query>
    index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
   </query>
</search>

If the value of sourcetype_tok is access_combined, it builds the following search string:

index=_internal sourcetype="access_combined" | timechart count by sourcetype

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters

View solution in original post

Motivator

Tokens

Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.

In a search, token name syntax uses $...$ delimiters. For example, if you define a form input token as field_tok, you can specify the token in a search as $field_tok$. Here is an example.

<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>

Token filters

Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$

This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

The following code snippet uses the |s filter to place quotation marks around the value returned from a token:

<search>
  <query>
    index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
   </query>
</search>

If the value of sourcetype_tok is access_combined, it builds the following search string:

index=_internal sourcetype="access_combined" | timechart count by sourcetype

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters

View solution in original post

Motivator

@askd91
Kindly accept the answer if it helped you, so others can refer it.

0 Karma