Dashboards & Visualizations

How to set a value to a token from an inputlookup?

smaran06
Path Finder

Hi All,

I am planning set a value to token from an inputlookup table as shown below, and I want to use this start_time and end_time as earliest and latest values, however, the set token is not taking value at all from inputlookup.

Can some one let me know if I am doing anything wrong here.

   <set token="start_time">|inputlookup lookuptable |where DATE="$date$"|table START_TIME</set>
      <set token="end_time"> |inputlookup lookuptable|where DATE="$date$"|table END_TIME</set>
    </condition>
  </change>
Tags (2)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

<input type="dropdown" token="date" searchWhenChanged="true">
   <label>EVENT DATE</label>
   <search>
     <query>|inputlookup lookuptable |stats count by  DATE</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
   </search>
   <fieldForLabel>DATE</fieldForLabel>
   <fieldForValue>DATE</fieldForValue>
  </input>   
 <panel>
   <single>
     <search>
       <query>index="app" [| inputlookup lookuptable |where DATE="$date$"|table START_TIME END_TIME | rename START_TIME as earliest END_TIME=latest  ]|stats count as total</query>
       <earliest>-15m</earliest>
       <latest>now</latest>
     </search>
   </single>
 </panel>

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

<input type="dropdown" token="date" searchWhenChanged="true">
   <label>EVENT DATE</label>
   <search>
     <query>|inputlookup lookuptable |stats count by  DATE</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
   </search>
   <fieldForLabel>DATE</fieldForLabel>
   <fieldForValue>DATE</fieldForValue>
  </input>   
 <panel>
   <single>
     <search>
       <query>index="app" [| inputlookup lookuptable |where DATE="$date$"|table START_TIME END_TIME | rename START_TIME as earliest END_TIME=latest  ]|stats count as total</query>
       <earliest>-15m</earliest>
       <latest>now</latest>
     </search>
   </single>
 </panel>

smaran06
Path Finder

Thanks Simon,

But I am trying set value to token from input look up, so that I can use the token value in earliest and latest fields, I am worried about below part.

 <condition value="$date$">
   <set token="start_time">|inputlookup lookuptable |where DATE="$date$"|table START_TIME</set>
   <set token="end_time">|inputlookup lookuptable |where DATE="$date$"|table END_TIME</set>
 </condition>

Your solution says as below, which is not taking about setting value to token.

  <search>
    <query>index="app" [| inputlookup lookuptable |where DATE="$date$"|table START_TIME END_TIME | rename START_TIME as earliest END_TIME=latest  ]|stats count as total</query>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </search>
</single>

Can you let me know how I can set values to that tokens dynamically

0 Karma

joelurtubia
Explorer

I have the same question...i need that for a link map, for create other dashboard, please is posible to do that?....create a token from unique query?

I try to create "lat_tok" token from a query that getting by main query..

<panel>
  <table>
    <title>ONTs CON EVENTO POR LOCALIDAD</title>
    <search>
      <query>sourcetype="snmptrap-accesos-telsur" "DYING_GASP_ALARM" index=main  | eval ipaddress=enterprises_5504_2_7_1_1_6 | eval ip_1=split(ipaddress,": ") | eval ip_address=mvindex(ip_1,1) | fields ip_address, alarma_mxk,puerto_ont_mxk | dbxlookup lookup="snmptraps_accesos_telsur" | table tecnologia,modelo,zonal,localidad,sitio,hostname,puerto_ont_mxk | search tecnologia=ZHONE AND modelo=MXK* | eval H-P=hostname."-".puerto_ont_mxk | stats count by zonal,localidad,sitio,hostname,H-P | stats count by zonal,localidad | sort -count | rename zonal as ZONAL,localidad as LOCALIDAD, count as "CANTIDAD DE ONTS"</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <refresh>1m</refresh>
       <finalized >
                 <condition match=" 'job.resultCount' != 0">
                         <set token="location">$result.LOCALIDAD$</set>
                     </condition>
       </finalized >

    </search>
      <drilldown target="My New Window">
  <condition field="LOCALIDAD">
      <set token="lat_tok"><query>| inputlookup localidad.csv | stats count by ID_ZONAL,DESC_ZONAL,GEOGRAP_LOCATION_ID,GEOGRAP_LOCATION_DESCRIPTION,COORDENADA_X,COORDENADA_Y,ID_FILAMENTO_CDA,FILAMENTO_CDA | where (like(GEOGRAP_LOCATION_DESCRIPTION,"$location$")) | table COORDENADA_Y</query></set>
        <link>
          <![CDATA[
          /app/search/zonales_energia_mapas?location=$row.LOCALIDAD$&lat_tok=$lat_tok$&lon_tok=-72.809973
          ]]>
        </link>

  </condition>

      </drilldown>
    <option name="dataOverlayMode">heatmap</option>
  </table>
</panel>

please help me, thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What I basically am doing here is, instead of setting the token with lookup table values (corresponding to selected $date$), I am directly using the query in the search. so, this

<condition value="$date$">
    <set token="start_time">|inputlookup lookuptable |where DATE="$date$"|table START_TIME</set>
    <set token="end_time">|inputlookup lookuptable |where DATE="$date$"|table END_TIME</set>
  </condition>

with 
<query>earliest="$start_time$" latest="$end_time$" index="app" |stats count as total</query>

is equivalent to just this

<query>index="app" [| inputlookup lookuptable |where DATE="$date$"|table START_TIME END_TIME | rename START_TIME as earliest END_TIME=latest  ]|stats count as total</query>

Have to tried to run the search like that?? The only drawback with this approach is that you need to put the subsearch in all the places you want to use $start_time$ as earliest and $end_time$ as latest.

smaran06
Path Finder

Perfect That worked, I need to tweak it little bit

[|inputlookup lookuptable |where DATE="$date$"|table START_TIME ,END_TIME | rename START_TIME as earliest |rename END_TIME as latest    | format "(" "(" "" ")" "OR" ")"  ]

ppablo
Retired

Hi @smaran06

Glad you found a solution through @somesoni2 🙂 Please don't forget to resolve your question by clicking "Accept" directly below his answer. This will make it easier for other users with similar issues to find this post.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Depends upon how your dashboard queries looks, you would be able to use the "| inputlookup lookuptable" values directly on the search (as subsearch) to be used as earliest and latest. If you can provide some sample of queries that you're trying to use, we can provide better suggestions.

0 Karma

smaran06
Path Finder
<input type="dropdown" token="date" searchWhenChanged="true">
  <label>EVENT DATE</label>
  <search>
    <query>|inputlookup lookuptable |stats count by  DATE</query>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </search>
  <fieldForLabel>DATE</fieldForLabel>
  <fieldForValue>DATE</fieldForValue>
  <change>
    <condition value="$date$">
      <set token="start_time">|inputlookup lookuptable |where DATE="$date$"|table START_TIME</set>
      <set token="end_time">|inputlookup lookuptable |where DATE="$date$"|table END_TIME</set>
    </condition>
  </change>
</input>



<panel>
  <single>
    <search>
      <query>earliest="$start_time$" latest="$end_time$" index="app" |stats count as total</query>
      <earliest>-15m</earliest>
      <latest>now</latest>
    </search>
  </single>
</panel>
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...