Solved: Re: How to clear/reset the value of a token?

Mario · ‎06-09-2022

Hello all.

I am making a dashboard in which I was in the need to create a subsearch. This is the piece of code that does it:

<panel>
<title>random panel title</title>
<table depends="$show_debug$">
<search id="Build_list">
<query>index= here it goes my query |fields * |table important_field |format</query>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="my_list">$result.search$</set>
</condition>
<condition>
<unset token="my_list"></unset>
</condition>
</finalized>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>another panel</title>
<html depends="$show_debug$">
<h3>$my_list$</h3>
</html>
</panel>

and here I am using the $my_list$ token:

<search>
<query>$my_list$ | foreach
something.* [rename "<<FIELD>>" as
"<<MATCHSEG1>>"]
| stats
values(Url),values(UrlDomain)</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>

This worked well the first time, but now, for every new query I do, no matter if I close and open a new browser/splunk session, I see still the results of the first query I did. is like $my_list$ has the first ever values hardened and I cannot reset them. I though that <unset token="my_list"></unset> would clear it but not....

Any help please? The goal here is to use this $my_list$ token, which is a splunk query (note the |format at the end of the query) but of course this token needs to be empty every time I run a new query.

Thanks a lot in advance.

Mario

gcusello · ‎06-09-2022

Hi @Mario,

in the input section, you could add a panel like this (obviously to adapt to your tokes:

    <input type="radio" token="resetTokens" searchWhenChanged="true">
      <label></label>
      <choice value="reset">Reset Inputs</choice>
      <choice value="retain">Retain</choice>
      <default>retain</default>
      <change>
        <condition value="reset">
          <unset token="token1"></unset>
          <unset token="token2"></unset>
          <unset token="token3"></unset>
          <set token="resetTokens">retain</set>
        </condition>
      </change>
    </input>

Ciao.

Giuseppe

View solution in original post

makelovenotwar · ‎04-25-2023

how would I do this with a *link* field type? I just want a button that says 'SUBMIT" so the user can reset the tokens.

gcusello · ‎04-25-2023

Hi @makelovenotwar,

you can do this using a JavaScript, but I'm not an expert in JS so I cannot help you more.

But using my solution, you have a reset button in the header bar.

Ciao.

Giuseppe

gcusello · ‎06-09-2022

Hi @Mario,

in the input section, you could add a panel like this (obviously to adapt to your tokes:

    <input type="radio" token="resetTokens" searchWhenChanged="true">
      <label></label>
      <choice value="reset">Reset Inputs</choice>
      <choice value="retain">Retain</choice>
      <default>retain</default>
      <change>
        <condition value="reset">
          <unset token="token1"></unset>
          <unset token="token2"></unset>
          <unset token="token3"></unset>
          <set token="resetTokens">retain</set>
        </condition>
      </change>
    </input>

Ciao.

Giuseppe

maspiro · ‎10-14-2024

Hi Giuseppe!

It's very useful, but this soluton needs to restart the search.

My needing is that one panel is related via token to another: when I click on a field in the second panel the previous show only related record. How can I reset the token in order to have all the records in the first panel without restart the search?

Thanks a lot!

ITWhisperer · ‎10-14-2024

Extending a previously answered question is perhaps not the best way of getting your question answered, particularly when the extension is a bit vague. Please start a new question with more specifics about your particular usecase and the difficulties you are having i.e. what would you want the solution to look like.

gcusello · ‎10-14-2024

Hi @maspiro ,

for my knowledge, restarting the search is the only way to reset a token.

Ciao.

Giuseppe

Mario · ‎04-26-2023

Ciao Beppe!

I am so sorry I thought I marked your reply as solution before. I have just done it now.

Grazie mille!

kukasky · ‎06-02-2024

This solution is for classic dashboard. How do it in Dashboard studio ?

ITWhisperer · ‎06-02-2024

You need to use another search to (conditionally) set the result field to null and use the results tokens from the search. For example:

{
    "visualizations": {
        "viz_F0Z9jsFU": {
            "type": "splunk.singlevalue",
            "title": "Speed in km/h",
            "dataSources": {
                "primary": "ds_eZ6LtdAT"
            },
            "options": {
                "unit": "km/h"
            }
        },
        "viz_p4tcz9dd": {
            "type": "splunk.singlevalue",
            "dataSources": {
                "primary": "ds_RopRdHUj"
            },
            "title": "Speed in mph",
            "options": {
                "unit": "mph"
            },
            "description": "$km per hour : result.kmh$ * 0.621"
        }
    },
    "dataSources": {
        "ds_eZ6LtdAT": {
            "type": "ds.search",
            "options": {
                "query": "| makeresults\n| eval kmh=random()%100",
                "enableSmartSources": true
            },
            "name": "km per hour"
        },
        "ds_RopRdHUj": {
            "type": "ds.search",
            "options": {
                "query": "| makeresults\n| eval speed_in_mph = if($km per hour:result.kmh$ > 50, $km per hour:result.kmh$ * 0.621, null())\n| table speed_in_mph"
            },
            "name": "kmh to mph"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "latest": "$global_time.latest$",
                        "earliest": "$global_time.earliest$"
                    }
                }
            }
        }
    },
    "inputs": {
        "input_global_trp": {
            "type": "input.timerange",
            "options": {
                "token": "global_time",
                "defaultValue": "-24h@h,now"
            },
            "title": "Global Time Range"
        }
    },
    "layout": {
        "type": "absolute",
        "options": {
            "width": 1440,
            "height": 960,
            "display": "auto"
        },
        "structure": [
            {
                "item": "viz_F0Z9jsFU",
                "type": "block",
                "position": {
                    "x": 10,
                    "y": 10,
                    "w": 250,
                    "h": 250
                }
            },
            {
                "item": "viz_p4tcz9dd",
                "type": "block",
                "position": {
                    "x": 290,
                    "y": 10,
                    "w": 250,
                    "h": 250
                }
            }
        ],
        "globalInputs": [
            "input_global_trp"
        ]
    },
    "description": "",
    "title": "Evaluate tokens using search"
}

Adapted from documentation example here

How to clear/reset the value of a token?

Dashboard Studio

panel

token

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?