Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Help for using token filters in a scheduled search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I use token filters in a table panel of my dashboard in order to filter the results of the search and it works perfectly when the search is directly filled in the table panel
But I need to use a scheduled search for this monitoring
If I keep the filters in the search, the search doesn't works....
So I put the filters after the loadjob command like below :
Is it correct or not?
<row>
<panel>
<title>Reboot & logon</title>
<input type="text" token="tok_filterhost" searchWhenChanged="true">
<label>Hostname</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="tok_filtermodel" searchWhenChanged="true">
<label>Model.</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="tok_filterbuilding" searchWhenChanged="true">
<label>Building.</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="tok_reboot" searchWhenChanged="true">
<label>Days without reboot</label>
<default>=*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="tok_logon" searchWhenChanged="true">
<label>Days without logon</label>
<default>=*</default>
<initialValue>*</initialValue>
</input>
<table>
<title>TUTU</title>
<search>
<query>| loadjob savedsearch="admin:TOTO_sh:TITI"
| search Site=$tok_filtersite|s$
| search Responsible=$tok_filterresponsible$
| search Department=$tok_filterdepartment$
| search "Days without logon"$tok_logon$
| search "Days without reboot"$tok_reboot$
| search Hostname=$tok_filterhost$
| search Model=$tok_filtermodel$
| search Building=$tok_filterbuilding$</query>For more information, here is the stats command done on "TITI" search :
| stats last(BUILDING_CODE) as Building, last(DESCRIPTION_MODEL) as Model, last(LastReboot) as "Last reboot date" last(NbDaysReboot) as "Days without reboot" last(LastLogon) as "Last logon date" last(NbDaysLogon) as "Days without logon" by host SITE RESPONSIBLE_USER DEPARTMENT
| rename host as Hostname, SITE as Site, RESPONSIBLE_USER as Responsible, DEPARTMENT as Department
| sort -"Days without reboot" -"Days without logon"Thanks for your help please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realise this is an older post, but if nobody has answered, perhaps others are having difficulty solving similar problems. Since you're referencing a saved search, you could try using a base <search> with ref to reference the saved search instead of loadjob, then use post-process searches as needed to add any additional tokens for filtering.
Two of the lines here are missing equals signs for assignment, which is likely at least part of the reason why the search is not working as expected:
| search "Days without logon"$tok_logon$
| search "Days without reboot"$tok_reboot$ You can check this by using <search> with <failed> and <error> to determine if the search has an error in it, as seen above, or whether it failed for some other reason, in which case you might want to turn on debugging in the search job inspector by modifying limits.conf as follows
[search_info]
infocsv_log_level = DEBUGFinally, I'm not sure what you're trying to do here with multiple | search commands. It looks like these can simply follow on from the main search. E.g.
Site=$tok_filtersite|s$ Responsible=$tok_filterresponsible$Whether you need to pipe to |s depends on the nature of the data. Alternatively, you may need to use |u for URL encoding (typically for links e.g. in drilldowns) or |n to specify no string manipulation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realise this is an older post, but if nobody has answered, perhaps others are having difficulty solving similar problems. Since you're referencing a saved search, you could try using a base <search> with ref to reference the saved search instead of loadjob, then use post-process searches as needed to add any additional tokens for filtering.
Two of the lines here are missing equals signs for assignment, which is likely at least part of the reason why the search is not working as expected:
| search "Days without logon"$tok_logon$
| search "Days without reboot"$tok_reboot$ You can check this by using <search> with <failed> and <error> to determine if the search has an error in it, as seen above, or whether it failed for some other reason, in which case you might want to turn on debugging in the search job inspector by modifying limits.conf as follows
[search_info]
infocsv_log_level = DEBUGFinally, I'm not sure what you're trying to do here with multiple | search commands. It looks like these can simply follow on from the main search. E.g.
Site=$tok_filtersite|s$ Responsible=$tok_filterresponsible$Whether you need to pipe to |s depends on the nature of the data. Alternatively, you may need to use |u for URL encoding (typically for links e.g. in drilldowns) or |n to specify no string manipulation.
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
