Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a token based on search results?

troyward
Explorer
‎07-21-2018 09:20 PM

I have an dropdown input that allows a user to select a user name:

  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="DisplayUsername" searchWhenChanged="true">
      <search id="base_0">
        <query>
          | inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername
        </query>
        <earliest>0</earliest>
      </search>
      <label>User</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
    </input>
  </fieldset>

This provides me a token with the users Display Name which I need. But I also need to then get the team that the user belongs to which is in the same lookup table as the initial search. My first idea was to create a new token that is set with the dropdown's Change event like this:

      <change>
        <set token="tok_Team">| inputlookup ctf_users 
          | search DisplayUsername = "Tommy Tiertwo" 
          | fields Team</set>
      </change>

But when I do that, the token is actually set to the search string itself and not the result. Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-21-2018 10:21 PM

@troyward,

Try this and adjust the searches according to your fields and indexes

<form>
  <label>Token Based On Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="DisplayUsername">
      <label>DisplayUsername</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <search>
        <query>| inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$this_token_is_not_set_at_anytime$">
      <table>
         <search>
            <query> inputlookup ctf_users| search DisplayUsername="$DisplayUsername$"|fields Team </query>
            <earliest>-15m</earliest>
            <latest>now</latest>            
            <done>
              <set token="Department">$result.Team$</set>
            </done>
        </search>
      </table>
    </panel>
    <panel>
      <title>$DisplayUsername$   : $Department$</title>
      <table>
        <search>
          <query>index="your index" user="$DisplayUsername$" Department="$Department$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-21-2018 10:21 PM

@troyward,

Try this and adjust the searches according to your fields and indexes

<form>
  <label>Token Based On Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="DisplayUsername">
      <label>DisplayUsername</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <search>
        <query>| inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$this_token_is_not_set_at_anytime$">
      <table>
         <search>
            <query> inputlookup ctf_users| search DisplayUsername="$DisplayUsername$"|fields Team </query>
            <earliest>-15m</earliest>
            <latest>now</latest>            
            <done>
              <set token="Department">$result.Team$</set>
            </done>
        </search>
      </table>
    </panel>
    <panel>
      <title>$DisplayUsername$   : $Department$</title>
      <table>
        <search>
          <query>index="your index" user="$DisplayUsername$" Department="$Department$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-19-2019 12:36 PM

Line #19 is missing a leading pipe, right?

Reply
Solved! Jump to solution

troyward
Explorer
‎07-22-2018 08:20 PM

Worked perfect. Wish there was a cleaner way to do it, but either way...thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...