Dashboards & Visualizations

How to store search results in token and form token?

jprovenzale
Explorer

Hello,

I have a dashboard that has a multi-select dropdown that contains a list of all database names.

When the dashboard is first run, the token that would hold the database name if a selection was made in the dropdown is set to * so all database events are read. Only the top 5 are returned.

My query looks like this:

index=whatever shard IN ("*") 
| chart count as result by shard
| sort -result
| head 5

So say the display panel shows results for these databases.

229, 290, 112, 273, 242

I want to set the dropdown labelled Shards form token "form.shardToken" to the list of databases returned as well as updating the token shardToken with the same list of databases.

Hopefully that all makes sense. 

Shards.png

 

 

0 Karma

jprovenzale
Explorer

Hi,

I have made all the changes. I also made the assumption that the initial search is now redundant as it has been moved to the hidden panel.
The dropdown is populated successfully by the shard list, however it doesn't look like the search in the hidden dropdown executes. The panel shows "Search is waiting for input". And I did update the "whatever" index to the correct one.

How can we tell if the search actually executes?

Code is:

<init>
    <set token="accountToken">"*"</set>

    <set token="accountselectedToken">False</set>

  </init>

  <fieldset submitButton="true" autoRun="true">

    <input type="multiselect" token="shardToken" searchWhenChanged="false">

      <label>Shards</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>| inputlookup ShardList.csv

| eval shardaccount=shard + " - " + account</query>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

      <change>

        <condition match="$accountselectedToken$==&quot;True&quot;">

          <set token="accountselectedToken">False</set>

        </condition>

        <condition>

          <set token="accountToken">"*"</set>

        </condition>

      </change>

    </input>

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false" depends="$alwaysHide$">

      <label>Do not use</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>

          index=****** shard IN ("*") | search shard!=0 AND shard!=-1

          | stats count as result by shard

          | sort -result

          | head 5

          | stats values(shard) as returnshards

        </query>

        <done>

          <eval token="form.shardToken">$result.returnshards$</eval>

          <eval token="shardToken">$result.returnshards$</eval>

        </done>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

    </input>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Temporarily, remove the depends attribute, add another token to the done handler and put that token in the label

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false">
      <label>Do not use $hiddenToken$</label>
      <delimiter>,</delimiter>
      <fieldForLabel>shardaccount</fieldForLabel>
      <fieldForValue>shard</fieldForValue>
      <search>
        <query>
          index=****** shard IN ("*") | search shard!=0 AND shard!=-1
          | stats count as result by shard
          | sort -result
          | head 5
          | stats values(shard) as returnshards
        </query>
        <done>
          <eval token="form.shardToken">$result.returnshards$</eval>
          <eval token="shardToken">$result.returnshards$</eval>
          <eval token="hiddenToken">$result.returnshards$</eval>
        </done>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
    </input>
0 Karma

jprovenzale
Explorer

Hi,

I made those changes but as shown in the attachment, no label is displayed.
When the mouse hovers over it, it is not even selectable.
So does that mean it is not actually executing?

Dashboard.jpeg



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not showing because these fields do not exists in the search

      <fieldForLabel>shardaccount</fieldForLabel>
      <fieldForValue>shard</fieldForValue>

This doesn't mean that the search didn't execute. You could change them both to returnshards

The other thing you could try is to slow down the process so that the hidden search completes later.

          <eval token="hiddenToken">mvjoin($result.returnshards$,",")</eval>

I noticed I had done this in my example dashboard which you don't have in yours.

 

0 Karma

jprovenzale
Explorer

Hi,

 

I made those changes but still no good. I did do one thing though that proves that the code is reached. The label for the hidden multi-select was “Do not use $hiddenToken$. This did not produce a label when run.  I removed the $hiddenToken$ and rerun. The label “Do not use” was then displayed.

This tells me that $hiddenToken is not being set and by definition, neither is $result.returnshards$.
Current code is below.

  </init>

  <fieldset submitButton="true" autoRun="true">

    <input type="multiselect" token="shardToken" searchWhenChanged="false">

      <label>Shards</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>| inputlookup ShardList.csv

| eval shardaccount=shard + " - " + account</query>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

      <change>

        <condition match="$accountselectedToken$==&quot;True&quot;">

          <set token="accountselectedToken">False</set>

        </condition>

        <condition>

          <set token="accountToken">"*"</set>

        </condition>

      </change>

    </input>

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false">

      <label>Do not use $hiddenToken$</label>

      <delimiter>,</delimiter>

      <fieldForLabel>$result.returnshards$</fieldForLabel>

      <fieldForValue>$result.returnshards$</fieldForValue>

      <search>

        <query>

          index=whatever shard IN ("*") | search shard!=0 AND shard!=-1

          | stats count as result by shard

          | sort -result

          | head 5

          | stats values(shard) as returnshards

        </query>

        <done>

          <eval token="form.shardToken">$result.returnshards$</eval>

          <eval token="shardToken">$result.returnshards$</eval>

          <eval token="hiddenToken">mvjoin($result.returnshards$,",")</eval>

        </done>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

    </input>  

0 Karma

jprovenzale
Explorer

Hi,

It is actually working now. It just took about 5 minutes to run the query. I am very surprised it took that long because running the same query in a search executes fairly quickly.

 

Thanks for your extreme patience and assistance. Very much appreciated.

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...