I have a simple dashboard that I use to input an IP address to query a report I've saved.
<form>
<label>Syslog Data Search</label>
<fieldset autoRun="true" submitButton="false">
<input type="text" token="ip" searchWhenChanged="true">
<label>IP address:</label>
<default></default>
</input>
</fieldset>
<row>
<panel>
<title>Syslog Report</title>
<table>
<search ref="Syslog Report"></search>
<drilldown>
<link target="_blank">https://whois.domaintools.com/$click.value$</link>
</drilldown>
</table>
</panel>
</row>
</form>
I've configured the report to use the token via SRC=$ip$
However this does not work and the token is not passed to the report after entering it into the dashboard. Is it even possible to pass a token to a report?
Hi @orion44
Try like
<form>
<label>SampleDashboard</label>
<fieldset submitButton="false">
<input type="text" token="name_param">
<label>Name</label>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|savedsearch testreport name="$name_param$"</query>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">/app/search/report?s=testreport</link>
</drilldown>
</table>
</panel>
</row>
</form>
Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Syslog Report': Error while replacing variable name='ip'. Could not find variable in the argument map..
In your case, >|savedsearch testreport ip="$name_param$"
Still doesn't work.
My saved report defines the variable as SRC=ip
The dashboard captures and passes the variable like this:
<input type="text" token="ip" searchWhenChanged="true">
|savedsearch "Syslog Report" ip=$ip$
Try with
|savedsearch "Syslog Report" ip="$ip$"
Thanks, I appreciate the time you've spent to help me with this. Unfortunately that still doesn't work. I don't think it's possible to pass tokens to saved searches.
Its possible. Try to execute the query in search bar with some ip address like and test
|savedsearch "Syslog Report" ip="192.168.56.1"
its possible to pass the token through saved search, but token field name is the one you need to use it in your savedsearch report query.
if you want to exexute : |savedsearch "Syslog Report" token_SourceIPAddress="$ip$"
your saved search should be like,
index=someindex src_ip_field=$token_SourceIPAddress$
Seems like the long way around - but it works like a charm!
You can do this with the | savedsearch
command which allows you to pass tokens to it:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
This seems to also imply we cannot schedule the report. If there is a variable in the report, then the report will not know what to do with it, no?
Correct; one or the other.
Thank you. I clicked the vote. 🙂
Do you know how to place the report last run date/time on the dashboard? Since the data is essentially static, and only as good as the last run. I would like to place the last run date so it's "Effective as of..."