Dashboards & Visualizations

How to prevent a search from running if a token doesn't exist?

azulgrana
Path Finder

Hi there,

I have a dashboard with several singles with a depends="$token_name$" to display info based on tokens. My understanding is that the "depends" is just for hiding or displaying data and no matter the value of the token, the search associated to the object would still run behind the scenes, is this correct? If so, would it be possible to prevent the search from running unless the $token_name$ exists? in other works is there a "depends" that we could use at the search level?

TIA!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To keep a search from running until a token is defined, put that token in the search query. You can even put it in a comment.

`comment($token|s$)`
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

To keep a search from running until a token is defined, put that token in the search query. You can even put it in a comment.

`comment($token|s$)`
---
If this reply helps you, Karma would be appreciated.

SkyeCoder
Explorer

This was extremely useful for me, I have a question, how can I append the search based on a second token?

like:

 

$tk1|s$ index="123" | timechart count AS 123 | append search $tk2|s$ index="456" | timechart count 456

 

I want the first part to run with the first token set, and the second part to run only if the second token is set too. how can I do this?

0 Karma

azulgrana
Path Finder

Very cool, thanks Rich for your help!

0 Karma

jrceja313
Engager

To check if the search actually runs even when it is hidden, you should go to your job history and see if the search has ran even though the token didn't exist and the panel didn't show.

If the search does run (I don't think it does, but am not 100% sure) you could put a token value in the search and unset on start so it doesn't run.
The search will definitely not run if the token in the search does not exist.
Then when you want the search to run, you can make a condition to give the token a value (it could even just be a "" or *) so that the search can run since the token will then exist.

I would check your managed jobs first to see if the search runs even though the panel is hidden.

0 Karma

jrceja313
Engager

The answer from @richgalloway would work too. (Would still be good to check the managed jobs though to see if it matters)

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...