Solved: How to reference a dashboard token in an HTML pane...

ScottSusman · ‎10-17-2016

I regularly get requests for some data that I get from several searches. The people requesting it like it formatted just so, so instead of manually formatting it each time I'd like to have my searches in a dashboard with all the needed data being sent to an html panel so I can format it correctly.

Can someone please help direct me to what I'm doing wrong? I've tried changing the table to a single value and tried various ways to set the token.

Run anywhere:

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=hosts | head 1</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <condition match="'job.isDone'">
            <set token="MyHost">$results.host$</set>
          </condition>
        </search>
      </table>
    </panel>
    <panel>
      <html>
        <p>Host: $MyHost$</p>
      </html>
    </panel>
  </row>
</dashboard>

I get back:

firstTime   host         lastTime     recentTime   totalCount   type
1476644722   myHostName   1476736882   1476736882   154103       hosts

and Host: $MyHost$ instead of Host: myHostName

Thank you!

cmerriman · ‎10-18-2016

try setting the job.isDone equal to 1, so that it has to be true to set the token?

  <search>
    <query>...</query>
    <done>
      <condition match="'job.isDone'"=1>
      <set token="host">$result.host$</set>
     </condition>
    </done>
  </search>
</panel>


<html>
      $host$
      </html>

View solution in original post

ScottSusman · ‎10-18-2016

Not sure if it's relevant, but I can see the value switch from $MyHost$ to $result.host$.

cmerriman · ‎10-18-2016

try setting the job.isDone equal to 1, so that it has to be true to set the token?

  <search>
    <query>...</query>
    <done>
      <condition match="'job.isDone'"=1>
      <set token="host">$result.host$</set>
     </condition>
    </done>
  </search>
</panel>


<html>
      $host$
      </html>

ScottSusman · ‎10-18-2016

<condition match="'job.isDone'"=1> was a syntax error, but when I changed it to <condition match="'job.isDone'=1"> (with the =1 inside the quotes) it stayed as $MyHost$.

bullet · ‎01-30-2023

Even I had error and I had to drop the =1 for the error to go away.

cmerriman · ‎10-18-2016

  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=hosts | head 1</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <preview>
       <set token="host">$result.host$</set>
     </preview>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <html>
       $host|h$
       </html>
  </row>

ScottSusman · ‎10-18-2016

It works! You rock!

ScottSusman · ‎10-18-2016

It looks like between 6.4.0 and 6.5.0 there were some changes to the search options in the Simple XML. Apparently it's important to be looking at docs for the correct version.

<done>  text        Execute actions based on finished search events.
<preview>   text        Preview of search results. Includes job properties and first result row.

Thank you so much!

afishkin_splunk · ‎10-18-2016

Element <condition> is child of one of Search Handler, such as
<done | error | fail | cancelled | progress>
Please move <condition> under <progress>

ScottSusman · ‎10-18-2016

That's pretty similar to somesoni2's suggestion to use instead of

Using <progress><condition> I now get Host: $result.host$.

         <search>
           <query>| metadata type=hosts | head 1</query>
           <earliest>-60m</earliest>
           <latest>now</latest>
           <progress>
             <condition match="'job.isDone'">
               <set token="MyHost">$result.host$</set>
             </condition>
           </progress>
         </search>

somesoni2 · ‎10-17-2016

Try like this (run anywhere sample)

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | head 1 | table host sourcetype source</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <done><set token="MyHost">$result.host$</set></done>
        </search>
      </table>
    </panel>
    <panel depends="$MyHost$">
      <html>
         <p>Host: $MyHost$</p>
       </html>
    </panel>
  </row>
</dashboard>

gvnd · ‎06-16-2017

Thanks, This is what exactly which I was searching for last 5 days..

ScottSusman · ‎10-17-2016

Hm... same result on Splunk at work. Works perfect at home.

somesoni2 · ‎10-17-2016

Check the token value is $result.host$ and not $results.host$ .

ScottSusman · ‎10-18-2016

Yep, I'm using result now, not results. I copy/pasted your example (I don't have access to _internal so I changed it to index=*).

At work we have version 6.4.0 and at home I have 6.5.0 (both Enterprise) but I wouldn't think that would matter with something this basic.

How to reference a dashboard token in an HTML panel?

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases