Dashboards & Visualizations

How to get the value from a drop-down menu to populate the token in a panel search for an accelerated report?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I've created an accelerated report called "Test Extract" which works fine and I've incorporated this into a dashboard as 'Stats Table' panel

What I'm trying to do is extract the information pertinent to a value selected in a drop-down menu on the dashboard with the token $username$ and my attempts so far have been unsuccessful.

I've tried:

<searchString>savedsearch "Test Extract" | inFullName="$username$"</searchString>
<searchString>savedsearch "Test Extract" | where inFullName="$username$"</searchString>
<searchString>savedsearch "Test Extract" | search inFullName="$username$"</searchString>

But all return a "No results found" message, although I know there to be data available.

Could someone have a look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

0 Karma

jeffland
SplunkTrust
SplunkTrust

I must admit that I don't know why, but it works when you use a post-processing search for your panel after having the base search reference the report, such as this:

<form>
  <fieldset submitButton="false">
    <input type="text" token="tok"></input>
  </fieldset>
  <search id="abc" ref="Splunk errors last 24 hours">
    <earliest>-24h</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <table>
        <search base="abc">
          <query>| search $tok$ | table _time _raw</query>
        </search>
        ...
      </table>
    </panel>
  </row>
</form>
0 Karma

IRHM73
Motivator

Hi @jeffland, thank you for taking the time to come back to me with this.

I've tried the 'post process' query you kindly provided, but unfortunately this doesn't return any results, although I know there is data available.

Many thanks and kind regards

Chris

0 Karma

jeffland
SplunkTrust
SplunkTrust

Does the search return results when you copy the search string from the report and append the rest of the query by hand?

0 Karma

IRHM73
Motivator

Hi @jeffland, if I use the full query as:

 <query>index=main auditSource="matching" auditType="Tx*"
 | rex "IncomingSearchRequest\(Some\((?&lt;inNINO&gt;[^\)]+)\),Some\((?&lt;inFName&gt;[^\)]+)\),Some\((?&lt;inSName&gt;[^\)]+)\),Some\((?&lt;inDOB&gt;[^\)]+)\)\)"
 | eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1") 
 | eval inFullName= inFName." ".inSName 
 | eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB 
 | makemv delim=", " inFull_Details
 | rex field=_raw "firstName[\\\]\":[\\\]\"(?&lt;cidFName&gt;[^\\\]+)[\\\]"
 | rex field=_raw "lastName[\\\]\":[\\\]\"(?&lt;cidSName&gt;[^\\\]+)[\\\]"
 | rex field=_raw "dateOfBirth[\\\]\":[\\\]\"(?&lt;cidDOB&gt;[^\\\]+)[\\\]"
 | rex field=_raw "nino[\\\]\":[\\\]\"(?&lt;cidNINO&gt;[^\\\]+)[\\\]"
 | rex field=_raw "sautr[\\\]\":[\\\]\"(?&lt;cidSAUTR&gt;[^\\\]+)[\\\]"
 | rex field="detail.output-errors" "(?&lt;ErrorCode&gt;[^\][]+)" 
 | rex mode=sed field=cidDOB "s/(\d\d)(\d\d)(\d\d\d\d)/\1\/\2\/\3/g" 
 | fillnull value="Not Provided" ErrorCode cidFName cidSName cidDOB  cidNINO cidSAUTR
 | eval cidFull_Details= "Firstname: ".cidFName.", Surname: ".cidSName.", DOB: ".cidDOB.", NINO: ".cidNINO.", SA UTR: ".cidSAUTR
 | eval generatedAt=strptime(generatedAt, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d/%b/%Y %H:%M" ctime(generatedAt)
 | makemv delim=", " cidFull_Details
 | where inFullName="$username$"
 | table inFull_Details cidFull_Details ErrorCode generatedAt | rename inFull_Details TO "Customer Details", cidFull_Details TO "Cid Response", ErrorCode TO "Error Code", generatedAt TO "Date and Time of Submission"</query>

It works absolutely fine.

Many thanks and kind regards

Chris

0 Karma

jeffland
SplunkTrust
SplunkTrust

Hm. So the source of this error is within how everything is assembled in XML.
I just double checked, and I can reproduce that the above mentioned solution works for me - I can place a "global" search in my XML, give it an id and have it reference a report, and I can then use another search within my table which post-processes the base search. Can you share the XML of your dashboard with that configuration? You can skip any table options and all that if you want to shorten it.

0 Karma

IRHM73
Motivator

Hi @jeffland, thank you for coming back to me with this.

Please find my XML below:

Many thanks and kind regards

Chris

       <label>Digital Verify &amp; Match</label>
       <description></description>
       <fieldset submitButton="false">
         <input type="time" token="DashboardTime" searchWhenChanged="false">
           <label>Please Select the Time Range</label>
           <default>
             <earliest>@d</earliest>
             <latest>now</latest>
           </default>
         </input>
          <input type="dropdown" token="username" searchWhenChanged="true">
      <label>Please Select the Customer Name</label>
      <search>
        <query>index=main auditSource="matching" auditType="Tx*" earliest=$DashboardTime.earliest$ latest=$DashboardTime.latest$
          | rex "IncomingSearchRequest\(Some\((?&lt;inNINO&gt;[^\)]+)\),Some\((?&lt;inFName&gt;[^\)]+)\),Some\((?&lt;inSName&gt;[^\)]+)\),Some\((?&lt;inDOB&gt;[^\)]+)\)\)"
          | eval inFullName= inFName." ".inSName
          | stats dc(inFullName) first(inOrOut) As inOrOut By inFullName
          | stats count by inFullName</query>
      </search>
      <fieldForLabel>inFullName</fieldForLabel>
      <fieldForValue>inFullName</fieldForValue>
    </input>
       </fieldset>
<search id="abc" ref="Digital Verify and Match Test"></search>
       <row>
         <panel>
           <table>
             <title>Data Table</title>
<search base="abc">
           <query>| search $username$ | table _time _raw</query>
         </search>
             <option name="wrap">true</option>
             <option name="rowNumbers">false</option>
             <option name="drilldown">cell</option>
             <option name="dataOverlayMode">none</option>
             <option name="count">10</option>
           </table>
         </panel>
       </row>
     </form>
0 Karma

jeffland
SplunkTrust
SplunkTrust

I just copied your code, replaced your report with "Indexing workload" (a report anyone should have ind his search app by default) and it worked. Can you check if it works with a different report?
Also, what is the search you see when you click "Open in search" of your panel, before changing to a different report? Is it the search you want to see, i.e. the search of your report with the added post-processing search?

0 Karma

IRHM73
Motivator

Hi @jeffland, I very much appreciate you coming back to me with this.

Unfortunately I'm on leave now without access to my Splunk account. But I will come back to you when I return to work on Monday.

Many thanks and kind regards

Chris

0 Karma

NOUMSSI
Builder

Hi,
Try this:

<savedsearch>"Test Extract" | search inFullName="$username$"</savedsearch>
<savedsearch>"Test Extract" | where inFullName="$username$"</savedsearch>
0 Karma

IRHM73
Motivator

HI @NOUMSSI, thank you for coming back to me with this, and my apologies for not coming back to you sooner.

Unfortunately this doesn't work with the dashboard panel constantly displaying "Waiting for Data"

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...