Dashboards & Visualizations

How do you store search results in a token or variable?

New Member

I want to run a search as an inputlookup after a field (name of the Field: "Field-1"). In the next step, I want to save the result of this search and display it in an HTML block.

How can I do this?

Tags (2)
0 Karma
1 Solution

Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

New Member

This is very useful. Thanks a lot. But I have another question in this case.

With this part:

       <query>index=_* | head 1 | table sourcetype</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
       <done>
         <set token="mytoken">$result.sourcetype$</set>
       </done>
      </search>

I can see on this place:

Title: $mytoken$

Only one entry, but my table has in this field many other values/results. How can I display all values of the hole fields?

0 Karma

Motivator

So you have a table with one field/column and multiple rows, correct?

Tokens are used for single values/numbers, so this is going to get tricky.

You could do something like:

index=_* | stats list(sourcetype) as sourcetypes | eval sourcetypes=mvjoin(sourcetypes, ",")

This will put all values in a single string which can be saved in a token.

Alternatively, Splunk dashboards have a whole lot of JavaScript and CSS capabilities which might help you better.

0 Karma

Contributor

Hey,

you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need?

All the best,
Björn

0 Karma

New Member

I want to display with a inputlookup search a field from the inputlookup in my dashboard between the html tags?

Is this possible?

0 Karma

Explorer

why do you only give half answers? or make it harder than it needs to be?

"you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need? OK how ?