Dashboards & Visualizations

How do you store search results in a token or variable?

yasin_tk
New Member

I want to run a search as an inputlookup after a field (name of the Field: "Field-1"). In the next step, I want to save the result of this search and display it in an HTML block.

How can I do this?

Tags (2)
0 Karma
1 Solution

whrg
Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

whrg
Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

yasin_tk
New Member

This is very useful. Thanks a lot. But I have another question in this case.

With this part:

       <query>index=_* | head 1 | table sourcetype</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
       <done>
         <set token="mytoken">$result.sourcetype$</set>
       </done>
      </search>

I can see on this place:

Title: $mytoken$

Only one entry, but my table has in this field many other values/results. How can I display all values of the hole fields?

0 Karma

whrg
Motivator

So you have a table with one field/column and multiple rows, correct?

Tokens are used for single values/numbers, so this is going to get tricky.

You could do something like:

index=_* | stats list(sourcetype) as sourcetypes | eval sourcetypes=mvjoin(sourcetypes, ",")

This will put all values in a single string which can be saved in a token.

Alternatively, Splunk dashboards have a whole lot of JavaScript and CSS capabilities which might help you better.

bjoernjensen
Contributor

Hey,

you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need?

All the best,
Björn

0 Karma

yasin_tk
New Member

I want to display with a inputlookup search a field from the inputlookup in my dashboard between the html tags?

Is this possible?

0 Karma

onegame999
Explorer

why do you only give half answers? or make it harder than it needs to be?

"you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need? OK how ?

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...