Dashboards & Visualizations

How to pass token from dashboard to a report

Communicator

I have a simple dashboard that I use to input an IP address to query a report I've saved.

   <form>
      <label>Syslog Data Search</label>
      <fieldset autoRun="true" submitButton="false">
        <input type="text" token="ip" searchWhenChanged="true">
          <label>IP address:</label>
          <default></default>
        </input>
      </fieldset>
      <row>
        <panel>
          <title>Syslog Report</title>
          <table>
            <search ref="Syslog Report"></search>
            <drilldown>
              <link target="_blank">https://whois.domaintools.com/$click.value$</link>
            </drilldown>
          </table>
        </panel>
      </row>
    </form>

I've configured the report to use the token via SRC=$ip$

However this does not work and the token is not passed to the report after entering it into the dashboard. Is it even possible to pass a token to a report?

Tags (3)
0 Karma

Champion

Hi @orion44

Try like

<form>
  <label>SampleDashboard</label>
  <fieldset submitButton="false">
    <input type="text" token="name_param">
      <label>Name</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|savedsearch testreport name="$name_param$"</query>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">/app/search/report?s=testreport</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

Communicator

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Syslog Report': Error while replacing variable name='ip'. Could not find variable in the argument map..

0 Karma

Champion

In your case, >|savedsearch testreport ip="$name_param$"

0 Karma

Communicator

Still doesn't work.

My saved report defines the variable as SRC=ip

The dashboard captures and passes the variable like this:
<input type="text" token="ip" searchWhenChanged="true">
|savedsearch "Syslog Report" ip=$ip$

0 Karma

Champion

Try with

|savedsearch "Syslog Report" ip="$ip$"
0 Karma

Communicator

Thanks, I appreciate the time you've spent to help me with this. Unfortunately that still doesn't work. I don't think it's possible to pass tokens to saved searches.

0 Karma

Champion

Its possible. Try to execute the query in search bar with some ip address like and test
|savedsearch "Syslog Report" ip="192.168.56.1"

0 Karma

Explorer

its possible to pass the token through saved search, but token field name is the one you need to use it in your savedsearch report query.

if you want to exexute : |savedsearch "Syslog Report" token_SourceIPAddress="$ip$"
your saved search should be like,

index=someindex src_ip_field=$token_SourceIPAddress$

0 Karma

Path Finder

Seems like the long way around - but it works like a charm!

0 Karma

Esteemed Legend

You can do this with the | savedsearch command which allows you to pass tokens to it:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

Contributor

This seems to also imply we cannot schedule the report. If there is a variable in the report, then the report will not know what to do with it, no?

0 Karma

Esteemed Legend

Correct; one or the other.

0 Karma

Contributor

Thank you. I clicked the vote. 🙂

Do you know how to place the report last run date/time on the dashboard? Since the data is essentially static, and only as good as the last run. I would like to place the last run date so it's "Effective as of..."

0 Karma