Dashboards & Visualizations

How to save the result from REST search to token?

Cbr1sg
Path Finder

Hello all,
This is my query to save the value of sipname to a token

`| rest /services/authentication/current-context `
`| where username!="splunk-system-user" `
`| fields realname,email`
`| eval sipname=lower(email) `
`| eval sipname=mvindex(split(sipname,"@"),0) `
`|table  realname,sipname`
`<set token="sipname">$row.sipname$</set>`

However this doesn't work, in other dashboards when I use the token '$sipname$', I only see value as '$row.sipname$'

Does anyone have any suggestion? Thanks

Tags (2)
0 Karma
1 Solution

poete
Builder

Hello,

from your post, I understand you try to configure a drilldown.

Please find bellow an example of dashboard.
The change of the token value can be seen in the title of the table.

<dashboard>
  <row>
    <panel>
      <table>
        <title>$sometoken$</title>
        <search>
          <query>| rest /services/authentication/current-context 
| where username!="splunk-system-user" 
| fields realname,email
| eval sipname=lower(email) 
| eval sipname=mvindex(split(sipname,"@"),0) 
|table realname,sipname</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <eval token="sometoken">$row.sipname$</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

poete
Builder

Hello,

from your post, I understand you try to configure a drilldown.

Please find bellow an example of dashboard.
The change of the token value can be seen in the title of the table.

<dashboard>
  <row>
    <panel>
      <table>
        <title>$sometoken$</title>
        <search>
          <query>| rest /services/authentication/current-context 
| where username!="splunk-system-user" 
| fields realname,email
| eval sipname=lower(email) 
| eval sipname=mvindex(split(sipname,"@"),0) 
|table realname,sipname</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <eval token="sometoken">$row.sipname$</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Cbr1sg
Path Finder

sorry i wasn;t clear enough, i was trying to set the token after the query completed, via:

<done>
<condition match="'job.resultCount' &gt; 0">
         <set token="sipname">$row.sipname$</set>
</condition>
<done>

Means that the token will be set automatically, not by drill down action.

0 Karma

poete
Builder

Then I think this is more what you need.

<dashboard>
  <search>
    <query>| rest /services/authentication/current-context 
 | where username!="splunk-system-user" 
 | fields realname,email
 | eval sipname=lower(email) 
 | eval sipname=mvindex(split(sipname,"@"),0) 
 | head 1
 |table realname,sipname</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <preview>
      <eval token="sometoken">$result.sipname$</eval>
    </preview>
  </search>
  <row>
    <panel>
      <table>
        <title>$sometoken$</title>
        <search>
          <query>| rest /services/authentication/current-context 
 | where username!="splunk-system-user" 
 |table username</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Please note that in this case, we use result.sipname, not row.sipname, and this may be the cause of your pb.

0 Karma

Cbr1sg
Path Finder

yes this helps to resolve my problem. Thank you very much!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.