Title: $mytoken$

yasin_tk · ‎12-06-2018

I want to run a search as an inputlookup after a field (name of the Field: "Field-1"). In the next step, I want to save the result of this search and display it in an HTML block.

How can I do this?

whrg · ‎12-06-2018

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

whrg · ‎12-06-2018

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

yasin_tk · ‎12-06-2018

This is very useful. Thanks a lot. But I have another question in this case.

With this part:

       <query>index=_* | head 1 | table sourcetype</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
       <done>
         <set token="mytoken">$result.sourcetype$</set>
       </done>
      </search>

I can see on this place:

Title: $mytoken$

Only one entry, but my table has in this field many other values/results. How can I display all values of the hole fields?

whrg · ‎12-06-2018

So you have a table with one field/column and multiple rows, correct?

Tokens are used for single values/numbers, so this is going to get tricky.

You could do something like:

index=_* | stats list(sourcetype) as sourcetypes | eval sourcetypes=mvjoin(sourcetypes, ",")

This will put all values in a single string which can be saved in a token.

Alternatively, Splunk dashboards have a whole lot of JavaScript and CSS capabilities which might help you better.

bjoernjensen · ‎12-06-2018

Hey,

you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need?

All the best,
Björn

yasin_tk · ‎12-06-2018

I want to display with a inputlookup search a field from the inputlookup in my dashboard between the html tags?

Is this possible?

onegame999 · ‎10-27-2019

why do you only give half answers? or make it harder than it needs to be?

"you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need? OK how ?

How do you store search results in a token or variable?

Title: $mytoken$

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...