Dashboards & Visualizations
Highlighted

How do you store search results in a token or variable?

New Member

I want to run a search as an inputlookup after a field (name of the Field: "Field-1"). In the next step, I want to save the result of this search and display it in an HTML block.

How can I do this?

Tags (2)
0 Karma
Highlighted

Re: How do you store search results in a token or variable?

Contributor

Hey,

you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need?

All the best,
Björn

0 Karma
Highlighted

Re: How do you store search results in a token or variable?

New Member

I want to display with a inputlookup search a field from the inputlookup in my dashboard between the html tags?

Is this possible?

0 Karma
Highlighted

Re: How do you store search results in a token or variable?

Engager

why do you only give half answers? or make it harder than it needs to be?

"you can use outputlookup and use the result of this to show it in a dashboard.

Does this fit your need? OK how ?

0 Karma
Highlighted

Re: How do you store search results in a token or variable?

Motivator

Hi!
First, I recommend you learn how to use tokens in dashboards: Token usage in dashboards

You should add a done section to your inputlookup search to set the result as a token.

Then in your html block you can reference this token.

Kind of like this:

<dashboard>
  <label>Test</label>
  <row>
    <panel>
      <html>
        <center>
          <h1>Title: $mytoken$</h1>
        </center>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_* | head 1 | table sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="mytoken">$result.sourcetype$</set>
          </done>
         </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Highlighted

Re: How do you store search results in a token or variable?

New Member

This is very useful. Thanks a lot. But I have another question in this case.

With this part:

       <query>index=_* | head 1 | table sourcetype</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
       <done>
         <set token="mytoken">$result.sourcetype$</set>
       </done>
      </search>

I can see on this place:

Title: $mytoken$

Only one entry, but my table has in this field many other values/results. How can I display all values of the hole fields?

0 Karma
Highlighted

Re: How do you store search results in a token or variable?

Motivator

So you have a table with one field/column and multiple rows, correct?

Tokens are used for single values/numbers, so this is going to get tricky.

You could do something like:

index=_* | stats list(sourcetype) as sourcetypes | eval sourcetypes=mvjoin(sourcetypes, ",")

This will put all values in a single string which can be saved in a token.

Alternatively, Splunk dashboards have a whole lot of JavaScript and CSS capabilities which might help you better.

0 Karma