Dashboards & Visualizations

How to reference a dashboard token in an HTML panel?

ScottSusman
Explorer

I regularly get requests for some data that I get from several searches. The people requesting it like it formatted just so, so instead of manually formatting it each time I'd like to have my searches in a dashboard with all the needed data being sent to an html panel so I can format it correctly.

Can someone please help direct me to what I'm doing wrong? I've tried changing the table to a single value and tried various ways to set the token.

Run anywhere:

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=hosts | head 1</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <condition match="'job.isDone'">
            <set token="MyHost">$results.host$</set>
          </condition>
        </search>
      </table>
    </panel>
    <panel>
      <html>
        <p>Host: $MyHost$</p>
      </html>
    </panel>
  </row>
</dashboard>

I get back:

firstTime   host         lastTime     recentTime   totalCount   type
1476644722   myHostName   1476736882   1476736882   154103       hosts

and Host: $MyHost$ instead of Host: myHostName

Thank you!

1 Solution

cmerriman
Super Champion

try setting the job.isDone equal to 1, so that it has to be true to set the token?

  <search>
    <query>...</query>
    <done>
      <condition match="'job.isDone'"=1>
      <set token="host">$result.host$</set>
     </condition>
    </done>
  </search>
</panel>


<html>
      $host$
      </html>

View solution in original post

ScottSusman
Explorer

Not sure if it's relevant, but I can see the value switch from $MyHost$ to $result.host$.

0 Karma

cmerriman
Super Champion

try setting the job.isDone equal to 1, so that it has to be true to set the token?

  <search>
    <query>...</query>
    <done>
      <condition match="'job.isDone'"=1>
      <set token="host">$result.host$</set>
     </condition>
    </done>
  </search>
</panel>


<html>
      $host$
      </html>

ScottSusman
Explorer

<condition match="'job.isDone'"=1> was a syntax error, but when I changed it to <condition match="'job.isDone'=1"> (with the =1 inside the quotes) it stayed as $MyHost$.

0 Karma

bullet
Explorer

Even I had error and I had to drop the =1 for the error to go away.

0 Karma

cmerriman
Super Champion
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=hosts | head 1</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <preview>
       <set token="host">$result.host$</set>
     </preview>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <html>
       $host|h$
       </html>
  </row>
0 Karma

ScottSusman
Explorer

It works! You rock!

0 Karma

ScottSusman
Explorer

It looks like between 6.4.0 and 6.5.0 there were some changes to the search options in the Simple XML. Apparently it's important to be looking at docs for the correct version.

<done>  text        Execute actions based on finished search events.
<preview>   text        Preview of search results. Includes job properties and first result row.

Thank you so much!

0 Karma

afishkin_splunk
Splunk Employee
Splunk Employee

Element <condition> is child of one of Search Handler, such as
<done | error | fail | cancelled | progress>
Please move <condition> under <progress>

0 Karma

ScottSusman
Explorer

That's pretty similar to somesoni2's suggestion to use instead of

Using <progress><condition> I now get Host: $result.host$.

         <search>
           <query>| metadata type=hosts | head 1</query>
           <earliest>-60m</earliest>
           <latest>now</latest>
           <progress>
             <condition match="'job.isDone'">
               <set token="MyHost">$result.host$</set>
             </condition>
           </progress>
         </search>
0 Karma

somesoni2
Revered Legend

Try like this (run anywhere sample)

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | head 1 | table host sourcetype source</query>
          <earliest>-60m</earliest>
          <latest>now</latest>
          <done><set token="MyHost">$result.host$</set></done>
        </search>
      </table>
    </panel>
    <panel depends="$MyHost$">
      <html>
         <p>Host: $MyHost$</p>
       </html>
    </panel>
  </row>
</dashboard>

gvnd
Path Finder

Thanks, This is what exactly which I was searching for last 5 days..

0 Karma

ScottSusman
Explorer

Hm... same result on Splunk at work. Works perfect at home.

0 Karma

somesoni2
Revered Legend

Check the token value is $result.host$ and not $results.host$.

0 Karma

ScottSusman
Explorer

Yep, I'm using result now, not results. I copy/pasted your example (I don't have access to _internal so I changed it to index=*).

At work we have version 6.4.0 and at home I have 6.5.0 (both Enterprise) but I wouldn't think that would matter with something this basic.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...