Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we pass two tokens form one input

sravankaripe
Communicator
‎04-20-2017 02:24 PM

i have a use can pass two tokens by using one input type. how can we achieve this.
Please help me with sample Xml code

0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2017 10:42 AM

You can put your values for origToken between a separator string such as :: (e.g. index=abc sourcetype=abc::index=xyz sourcetype=xyz) and then use XML like this:

<selection>
   <eval token="derivedToken1">replace($origToken$, ".*::", "")</eval>
   <eval token="derivedToken2">replace($origToken$, "::.*", "")</eval>
</selection>
Reply

paulbannister
Communicator
‎04-21-2017 01:13 AM

As a workaround you could create a base search within the dashboard that generates the second token utilising the first token from the input, that way you would have both tokens available within the XML, however as above more details would be needed to give a full answer (Type of input, desired outcome, etc..) Would you be able to post a example of the dashboard/reports/XML?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2017 03:06 PM

You can encode both values in the value by setting the values to something like this index=xxx sourcetype=yyy and then use the combined KVP in your search like this:

<query>$MyDualKVP$ | stats count by host</query>

So do you really need 2 tokens?

0 Karma
Reply

niketn
Legend
‎04-20-2017 10:41 PM

@sravankaripe... You need to add more details. What is the input that you are using what are the values(fields) that you need to pass? Also what is the search/search results?

You should be able to code inputs change event to pass on the values you need.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sravankaripe
Communicator
‎04-21-2017 06:35 AM

Input type is Dropdown.
this dropdown should have two tokens.
1st token will go to first panel (say index= abc sourcetype=abc:abc $token1$)
2nd token will goes to second panel in the same dashboard.(say index=xyz sourcetype=xyz:xyz $token2$)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...