Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help for using token filters in a scheduled search

jip31
Motivator
‎10-23-2020 12:10 AM

Hello

 

I use token filters in a table panel of my dashboard in order to filter the results of the search and it works perfectly when the search is directly filled in the table panel

But I need to use a scheduled search for this monitoring

If I keep the filters in the search, the search doesn't works....

So I put the filters after the loadjob command like below :

Is it correct or not?

 

 

<row>
    <panel>
      <title>Reboot &amp; logon</title>
      <input type="text" token="tok_filterhost" searchWhenChanged="true">
        <label>Hostname</label>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <input type="text" token="tok_filtermodel" searchWhenChanged="true">
        <label>Model.</label>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <input type="text" token="tok_filterbuilding" searchWhenChanged="true">
        <label>Building.</label>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <input type="text" token="tok_reboot" searchWhenChanged="true">
        <label>Days without reboot</label>
        <default>=*</default>
        <initialValue>*</initialValue>
      </input>
      <input type="text" token="tok_logon" searchWhenChanged="true">
        <label>Days without logon</label>
        <default>=*</default>
        <initialValue>*</initialValue>
      </input>
      <table>
        <title>TUTU</title>
        <search>
          <query>| loadjob savedsearch="admin:TOTO_sh:TITI" 
| search Site=$tok_filtersite|s$ 
| search Responsible=$tok_filterresponsible$ 
| search Department=$tok_filterdepartment$ 
| search "Days without logon"$tok_logon$ 
| search "Days without reboot"$tok_reboot$ 
| search Hostname=$tok_filterhost$ 
| search Model=$tok_filtermodel$ 
| search Building=$tok_filterbuilding$</query>

 For more information, here is the stats command done on "TITI" search :

| stats last(BUILDING_CODE) as Building, last(DESCRIPTION_MODEL) as Model, last(LastReboot) as "Last reboot date" last(NbDaysReboot) as "Days without reboot" last(LastLogon) as "Last logon date" last(NbDaysLogon) as "Days without logon" by host SITE RESPONSIBLE_USER DEPARTMENT
| rename host as Hostname, SITE as Site, RESPONSIBLE_USER as Responsible, DEPARTMENT as Department 
| sort -"Days without reboot" -"Days without logon"

Thanks for your help please

Labels (1)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ro_mc
Path Finder
‎11-23-2021 03:03 PM

I realise this is an older post, but if nobody has answered, perhaps others are having difficulty solving similar problems. Since you're referencing a saved search, you could try using a base <search> with ref to reference the saved search instead of loadjob, then use post-process searches as needed to add any additional tokens for filtering.

Two of the lines here are missing equals signs for assignment, which is likely at least part of the reason why the search is not working as expected:

| search "Days without logon"$tok_logon$ 
| search "Days without reboot"$tok_reboot$

You can check this by using <search> with <failed> and <error> to determine if the search has an error in it, as seen above, or whether it failed for some other reason, in which case you might want to turn on debugging in the search job inspector by modifying limits.conf as follows

[search_info]
infocsv_log_level = DEBUG

Finally, I'm not sure what you're trying to do here with multiple | search commands. It looks like these can simply follow on from the main search. E.g.

Site=$tok_filtersite|s$ Responsible=$tok_filterresponsible$

Whether you need to pipe to |s depends on the nature of the data. Alternatively, you may need to use |u for URL encoding (typically for links e.g. in drilldowns) or |n to specify no string manipulation.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ro_mc
Path Finder
‎11-23-2021 03:03 PM

I realise this is an older post, but if nobody has answered, perhaps others are having difficulty solving similar problems. Since you're referencing a saved search, you could try using a base <search> with ref to reference the saved search instead of loadjob, then use post-process searches as needed to add any additional tokens for filtering.

Two of the lines here are missing equals signs for assignment, which is likely at least part of the reason why the search is not working as expected:

| search "Days without logon"$tok_logon$ 
| search "Days without reboot"$tok_reboot$

You can check this by using <search> with <failed> and <error> to determine if the search has an error in it, as seen above, or whether it failed for some other reason, in which case you might want to turn on debugging in the search job inspector by modifying limits.conf as follows

[search_info]
infocsv_log_level = DEBUG

Finally, I'm not sure what you're trying to do here with multiple | search commands. It looks like these can simply follow on from the main search. E.g.

Site=$tok_filtersite|s$ Responsible=$tok_filterresponsible$

Whether you need to pipe to |s depends on the nature of the data. Alternatively, you may need to use |u for URL encoding (typically for links e.g. in drilldowns) or |n to specify no string manipulation.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...