Hello all,
I want to initialize a token value. That is while dashboard is opened that value should be initialized to the token. I have tried writing the token value inside "init". I want to compute the token value in the "init" method, i tried and there is no change. How can i achieve this?
Hi
Check this
<dashboard>
<label>init</label>
<init>
<eval token="temp">1+2</eval>
</init>
<row>
<html>
$temp$
</html>
</row>
</dashboard>
Please post your xml.
[updated]
Try by getting the max number in query and set it in a token.
<dashboard>
<label>max number</label>
<search>
<query>
| makeresults
| eval temp="12,33,444,66"
| makemv delim="," temp
| stats max(temp) as num
</query>
<done>
<set token="max_num">$result.num$</set>
</done>
</search>
<row>
<html>
maximum number: $max_num$
</html>
</row>
</dashboard>
@anooshac what do you mean by I want to compute the token value in init
? Have you tried <eval>
? Also what is your current code and what is not working? Give us more information about what you want to achieve on dashboard load so that we can assist you better.
Hi @niketnilay , sorry for that! I have a json file which has a field called "NUM". I want to use the largest value of NUM as token. Is there any way that i can achieve this?
can i get the largest value like this?
<eval token="num">max(NUM)</eval>
@anooshac let us take one step at a time. So is the JSON file indexed in Splunk? Can you mask/anonymize and provide us with sample data showing the num field in the JSON file? Do you have multiple num fields (multiple events) within same JSON file or multiple JSON files that get indexed in Splunk?
Your first step should be to analyze the data and come up with the SPL search to get the required data first i.e. use Splunk Search to find answer to your problem and then think how to put the same in Dashboard.
Hello, @niketn , i am not able to post any screenshot here as i have less karma points. I have multiple json file which are indexed.
source="abc_*" index="myindex" sourcetype="_json"| table NUM
So This the query from which i get NUM. I want the largest NUM to be used in my dashboard, and that value should be assigned to the token automatically when the dashboard is opened. Is it possible to find that largest value like this?
<eval token="num">max(NUM)</eval>
or should i write separate query to find that number?
This would need to be an independent search and set the token using Search Event Handler. However, there are some additional questions you must consider:
Hello @niketnilay , yes i'm using INDEXED_EXTRACTION=json in props.conf.
I want to consider all the json files that i have uploaded so far.
We can use a separate query to find the largest number, but is there any way that i can find it in init?
@anooshac an independent search (search without being attached to a viz/panel) can also be used to initialize token that can be later-on used in the dashboard. Try the following tstats
which will work on INDEXED EXTRACTED fields and sets the token tokMaxNum
similar to init section. (I have run for all time but you should consider how many days should it actually pick. Ideally if you have a time filter in the dashboard then use those tokens in tstats search).
<dashboard>
<label>XYZ</label>
<description>Your Dashboard Description</description>
<search>
<query>| tstats max(NUM) as maxNum earliest=0 latest=now
</query>
<done>
<set token="tokMaxNum">$result.maxNum$</set>
</done>
</search>
...
...
Please try out and confirm. For further assistance do provide what you currently have with sample code (mock/anonymize) any sensitive information similar to above example before posting on Splunk Answers.
hi @niketnilay , thank you so much for the answer. It is working !!
@anooshac good to know. If you have used the tstats query do upvote my previous comment as you have already accepted another answer!
Do think about other scenario as to why you have to run all time search and whether it can be narrowed down to some recent time window as All time searches are expensive (even with tstats if there are too many events)
hi @niketnilay once again thanks a lot for the help, i didn't find an option to accept you answer. Can you please tell me where can can i find it?
Thanks for the suggestion @niketnilay , i'm thinking of changing it to narrowed search and it also has options like last day, last week etc..
Hi
Check this
<dashboard>
<label>init</label>
<init>
<eval token="temp">1+2</eval>
</init>
<row>
<html>
$temp$
</html>
</row>
</dashboard>
Please post your xml.
[updated]
Try by getting the max number in query and set it in a token.
<dashboard>
<label>max number</label>
<search>
<query>
| makeresults
| eval temp="12,33,444,66"
| makemv delim="," temp
| stats max(temp) as num
</query>
<done>
<set token="max_num">$result.num$</set>
</done>
</search>
<row>
<html>
maximum number: $max_num$
</html>
</row>
</dashboard>
hi @vnravikumar , thanks for answering. Is there any way to use max function in the init block?
i have a field called "num" in my file. I want to use the largest number as token.
<eval token="temp">max(num)</eval>
can i modify my code like this?
From where are you getting the num
field?
The field "num" is in my json file.
Can you brief your requirement, whether the json data is indexed?
I want to use the largest value of "num" field of json file as token. As the data is dynamic the largest value may change accordingly. Yes the json data is indexed.
Is there any way to achieve this?
Hi
Try by getting the max number in query and set it in a token.
<dashboard>
<label>max number</label>
<search>
<query>
| makeresults
| eval temp="12,33,444,66"
| makemv delim="," temp
| stats max(temp) as num
</query>
<done>
<set token="max_num">$result.num$</set>
</done>
</search>
<row>
<html>
maximum number: $max_num$
</html>
</row>
</dashboard>
Thank you! I'll try this and let you know.
hi @vnravikumar , i tried using your code , thank you so much it is working!
Please accept my answer