Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to change dataSource dynamically based on toke...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change dataSource dynamically based on token in Dashboard Studio?
Hello,
How to change dataSource in table dynamically based on token in Splunk Dashboard Studio?
I tried to assign a token on the "primary" field, so it can change dynamically to "Data 1" or "Data 2" based on selection. However, this solution does not seem to work. I've seen a suggestion to use "saved search", but I don't want to use that solution. Please suggest. Thanks
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid
I have tested and it seems working fine, although I got few issues like getting "Invalid array length" (I had to refresh browser to fix this), and table displaying all rows, instead of the number of row I specified (rows displayed = 10). The invalid array length is intermittent
I have some follow-up questions just to make sure I understand.
Thank you for your help.
1. a. Is there a limitation on the number of data source?
b. In my case, I need to change like the following, correct?
"ds_index1" : "ds_index1" (not "search1" : "ds_index1")
Can you explain what this mean: ds_index1" : "ds_index1"?
b. ds_xxxx is a random character created by Splunk, do you usually change it to readable format, or you just leave it? (which one is best practice)
c. I also need to change $mysearch$ to $datasource_token$, correct?
"viz_gE0iilm3": {
"dataSources": {
"primary": "ds_index1",
"ds_index1": "ds_index1",
"ds_index2": "ds_index2"
},
"options": {
"table": "> $datasource_token$"
},
"type": "splunk.table"
}I was trying to choose the token when clicking single value. Please let me know if this is correct
{
"type": "splunk.singlevalue",
"dataSources": {
"primary": "ds_singlevalue1"
},
"title": "Single Value 1",
"eventHandlers": [
{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "datasource_token",
"value": "ds_index1"
}
]
}
}
]
}
{
"type": "splunk.singlevalue",
"dataSources": {
"primary": "ds_singlevalue2"
},
"title": "Single Value 2",
"eventHandlers": [
{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "datasource_token",
"value": "ds_index2"
}
]
}
}
],
}
Also, it doesn't load at the beginning, so I need to put the default token. Is this correct?
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "-24h@h",
"earliest": "now"
}
}
}
},
"tokens": {
"default": {
"datasource_token": {
"value": "ds_index1"
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LearningGuy
It isnt possible to set the token within the dataSources section *however* you can do the following...
...
"viz_gE0iilm3": {
"dataSources": {
"primary": "search1",
"search1": "search1",
"search2": "search2"
},
"options": {
"table": "> $mysearch$"
},
"type": "splunk.table"
}
},
"dataSources": {
"search1": {
"name": "search1",
"options": {
"query": "| makeresults \n| eval msg=\"Search 1\""
},
"type": "ds.search"
},
"search2": {
"name": "search2",
"options": {
"query": "| makeresults \n| eval msg=\"Search2\""
},
"type": "ds.search"
}
},
...What we're doing here is defining the references to the searches under the dataSources section of the viz, so mapping "search1" to the relevant ID of search1 (not the name!), so in your case "ds_index1". Important Note: you *must* have a primary otherwise the viz doesnt seem to load, this could be a basic makeresults empty search, or just search1.
Then within the table options we set :
"table": "> $mysearch$"
This defaults to "> primary" but we are overriding with the dataSource we want it to pull from (as defined in the dataSources section of the Viz)
Full example:
{
"title": "testing",
"description": "",
"inputs": {
"input_Ldh6KqEz": {
"options": {
"items": [
{
"label": "Data 1",
"value": "search1"
},
{
"label": "Data 2",
"value": "search2"
}
],
"token": "mysearch"
},
"title": "Dropdown Input Title",
"type": "input.dropdown"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "-24h@h",
"latest": "now"
}
}
}
}
},
"visualizations": {
"viz_gE0iilm3": {
"dataSources": {
"primary": "search1",
"search1": "search1",
"search2": "search2"
},
"options": {
"table": "> $mysearch$"
},
"type": "splunk.table"
}
},
"dataSources": {
"search1": {
"name": "search1",
"options": {
"query": "| makeresults \n| eval msg=\"Search 1\""
},
"type": "ds.search"
},
"search2": {
"name": "search2",
"options": {
"query": "| makeresults \n| eval msg=\"Search2\""
},
"type": "ds.search"
}
},
"layout": {
"globalInputs": [
"input_Ldh6KqEz"
],
"layoutDefinitions": {
"layout_1": {
"options": {
"display": "auto",
"height": 960,
"width": 1440
},
"structure": [
{
"item": "viz_gE0iilm3",
"position": {
"h": 300,
"w": 830,
"x": 10,
"y": 30
},
"type": "block"
}
],
"type": "absolute"
}
},
"tabs": {
"items": [
{
"label": "New tab",
"layoutId": "layout_1"
}
]
}
}
}
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability for AI
