Dashboards & Visualizations

How to initialize a token value

anooshac
Communicator

Hello all,
I want to initialize a token value. That is while dashboard is opened that value should be initialized to the token. I have tried writing the token value inside "init". I want to compute the token value in the "init" method, i tried and there is no change. How can i achieve this?

Tags (3)
0 Karma
1 Solution

vnravikumar
Champion

Hi

Check this

<dashboard>
  <label>init</label>
  <init>
    <eval token="temp">1+2</eval>
  </init>
  <row>
    <html>
      $temp$
    </html>
  </row>
</dashboard>

Please post your xml.

[updated]

Try by getting the max number in query and set it in a token.

<dashboard>
   <label>max number</label>
   <search>
     <query>
       | makeresults 
 | eval temp="12,33,444,66" 
 | makemv delim="," temp 
 | stats max(temp) as num

     </query>
     <done>
       <set token="max_num">$result.num$</set>
     </done>
   </search>
   <row>
     <html>
       maximum number: $max_num$
     </html>
   </row>
 </dashboard>

View solution in original post

@anooshac what do you mean by I want to compute the token value in init? Have you tried <eval>? Also what is your current code and what is not working? Give us more information about what you want to achieve on dashboard load so that we can assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

anooshac
Communicator

Hi @niketnilay , sorry for that! I have a json file which has a field called "NUM". I want to use the largest value of NUM as token. Is there any way that i can achieve this?

can i get the largest value like this?

 <eval token="num">max(NUM)</eval>
0 Karma

@anooshac let us take one step at a time. So is the JSON file indexed in Splunk? Can you mask/anonymize and provide us with sample data showing the num field in the JSON file? Do you have multiple num fields (multiple events) within same JSON file or multiple JSON files that get indexed in Splunk?

Your first step should be to analyze the data and come up with the SPL search to get the required data first i.e. use Splunk Search to find answer to your problem and then think how to put the same in Dashboard.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

anooshac
Communicator

Hello, @niketn-deceased , i am not able to post any screenshot here as i have less karma points. I have multiple json file which are indexed.

source="abc_*" index="myindex" sourcetype="_json"| table NUM
So This the query from which i get NUM. I want the largest NUM to be used in my dashboard, and that value should be assigned to the token automatically when the dashboard is opened. Is it possible to find that largest value like this?

 <eval token="num">max(NUM)</eval>

or should i write separate query to find that number?

0 Karma

This would need to be an independent search and set the token using Search Event Handler. However, there are some additional questions you must consider:

  1. Since the data indexed is JSON, are you using INDEXED_EXTRACTION=json in props.conf? This will allow you to query NUM field through tstats command which will work really fast.
  2. If you are getting multiple JSON files, how many files do you want to consider for calculating max? For example based on all files that have come in last hour, last 24 hours, today, yesterday or any other timing? Or just based on last 10, 100 or 1000 files?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

anooshac
Communicator

Hello @niketnilay , yes i'm using INDEXED_EXTRACTION=json in props.conf.
I want to consider all the json files that i have uploaded so far.
We can use a separate query to find the largest number, but is there any way that i can find it in init?

0 Karma

@anooshac an independent search (search without being attached to a viz/panel) can also be used to initialize token that can be later-on used in the dashboard. Try the following tstats which will work on INDEXED EXTRACTED fields and sets the token tokMaxNum similar to init section. (I have run for all time but you should consider how many days should it actually pick. Ideally if you have a time filter in the dashboard then use those tokens in tstats search).

<dashboard>
     <label>XYZ</label>
     <description>Your Dashboard Description</description>
     <search>
         <query>| tstats max(NUM) as maxNum earliest=0 latest=now
         </query>
         <done>
              <set token="tokMaxNum">$result.maxNum$</set>
         </done>
     </search>
    ...
    ...

Please try out and confirm. For further assistance do provide what you currently have with sample code (mock/anonymize) any sensitive information similar to above example before posting on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

anooshac
Communicator

hi @niketnilay , thank you so much for the answer. It is working !!

0 Karma

@anooshac good to know. If you have used the tstats query do upvote my previous comment as you have already accepted another answer!

Do think about other scenario as to why you have to run all time search and whether it can be narrowed down to some recent time window as All time searches are expensive (even with tstats if there are too many events)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

anooshac
Communicator

hi @niketnilay once again thanks a lot for the help, i didn't find an option to accept you answer. Can you please tell me where can can i find it?

Thanks for the suggestion @niketnilay , i'm thinking of changing it to narrowed search and it also has options like last day, last week etc..

0 Karma

vnravikumar
Champion

Hi

Check this

<dashboard>
  <label>init</label>
  <init>
    <eval token="temp">1+2</eval>
  </init>
  <row>
    <html>
      $temp$
    </html>
  </row>
</dashboard>

Please post your xml.

[updated]

Try by getting the max number in query and set it in a token.

<dashboard>
   <label>max number</label>
   <search>
     <query>
       | makeresults 
 | eval temp="12,33,444,66" 
 | makemv delim="," temp 
 | stats max(temp) as num

     </query>
     <done>
       <set token="max_num">$result.num$</set>
     </done>
   </search>
   <row>
     <html>
       maximum number: $max_num$
     </html>
   </row>
 </dashboard>

anooshac
Communicator

hi @vnravikumar , thanks for answering. Is there any way to use max function in the init block?

i have a field called "num" in my file. I want to use the largest number as token.

 <eval token="temp">max(num)</eval>

can i modify my code like this?

0 Karma

vnravikumar
Champion

From where are you getting the num field?

0 Karma

anooshac
Communicator

The field "num" is in my json file.

0 Karma

vnravikumar
Champion

Can you brief your requirement, whether the json data is indexed?

0 Karma

anooshac
Communicator

I want to use the largest value of "num" field of json file as token. As the data is dynamic the largest value may change accordingly. Yes the json data is indexed.
Is there any way to achieve this?

0 Karma

vnravikumar
Champion

Hi

Try by getting the max number in query and set it in a token.

<dashboard>
  <label>max number</label>
  <search>
    <query>
      | makeresults 
| eval temp="12,33,444,66" 
| makemv delim="," temp 
| stats max(temp) as num

    </query>
    <done>
      <set token="max_num">$result.num$</set>
    </done>
  </search>
  <row>
    <html>
      maximum number: $max_num$
    </html>
  </row>
</dashboard>
0 Karma

anooshac
Communicator

Thank you! I'll try this and let you know.

0 Karma

anooshac
Communicator

hi @vnravikumar , i tried using your code , thank you so much it is working!

0 Karma

vnravikumar
Champion

Please accept my answer

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...