Dashboards & Visualizations

How do you store search results in a token or variable?

yasin_tk
New Member

I want to run a search as an inputlookup after a field (name of the Field: "Field-1"). In the next step, I want to save the result of this search and display it in an HTML block.

How can I do this?

Tags (2)
0 Karma
1 Solution

whrg
Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

whrg
Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

yasin_tk
New Member

This is very useful. Thanks a lot. But I have another question in this case.

With this part:

       <query>index=_* | head 1 | table sourcetype</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
       <done>
         <set token="mytoken">$result.sourcetype$</set>
       </done>
      </search>

I can see on this place:

Title: $mytoken$

Only one entry, but my table has in this field many other values/results. How can I display all values of the hole fields?

0 Karma

whrg
Motivator

So you have a table with one field/column and multiple rows, correct?

Tokens are used for single values/numbers, so this is going to get tricky.

You could do something like:

index=_* | stats list(sourcetype) as sourcetypes | eval sourcetypes=mvjoin(sourcetypes, ",")

This will put all values in a single string which can be saved in a token.

Alternatively, Splunk dashboards have a whole lot of JavaScript and CSS capabilities which might help you better.

bjoernjensen
Contributor

Hey,

you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need?

All the best,
Björn

0 Karma

yasin_tk
New Member

I want to display with a inputlookup search a field from the inputlookup in my dashboard between the html tags?

Is this possible?

0 Karma

onegame999
Explorer

why do you only give half answers? or make it harder than it needs to be?

"you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need? OK how ?

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...