Dashboards & Visualizations

How to store search results in token and form token?

jprovenzale
Explorer

Hello,

I have a dashboard that has a multi-select dropdown that contains a list of all database names.

When the dashboard is first run, the token that would hold the database name if a selection was made in the dropdown is set to * so all database events are read. Only the top 5 are returned.

My query looks like this:

index=whatever shard IN ("*") 
| chart count as result by shard
| sort -result
| head 5

So say the display panel shows results for these databases.

229, 290, 112, 273, 242

I want to set the dropdown labelled Shards form token "form.shardToken" to the list of databases returned as well as updating the token shardToken with the same list of databases.

Hopefully that all makes sense. 

Shards.png

 

 

Labels (1)
0 Karma

jprovenzale
Explorer

Hi,

I have made all the changes. I also made the assumption that the initial search is now redundant as it has been moved to the hidden panel.
The dropdown is populated successfully by the shard list, however it doesn't look like the search in the hidden dropdown executes. The panel shows "Search is waiting for input". And I did update the "whatever" index to the correct one.

How can we tell if the search actually executes?

Code is:

<init>
    <set token="accountToken">"*"</set>

    <set token="accountselectedToken">False</set>

  </init>

  <fieldset submitButton="true" autoRun="true">

    <input type="multiselect" token="shardToken" searchWhenChanged="false">

      <label>Shards</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>| inputlookup ShardList.csv

| eval shardaccount=shard + " - " + account</query>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

      <change>

        <condition match="$accountselectedToken$==&quot;True&quot;">

          <set token="accountselectedToken">False</set>

        </condition>

        <condition>

          <set token="accountToken">"*"</set>

        </condition>

      </change>

    </input>

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false" depends="$alwaysHide$">

      <label>Do not use</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>

          index=****** shard IN ("*") | search shard!=0 AND shard!=-1

          | stats count as result by shard

          | sort -result

          | head 5

          | stats values(shard) as returnshards

        </query>

        <done>

          <eval token="form.shardToken">$result.returnshards$</eval>

          <eval token="shardToken">$result.returnshards$</eval>

        </done>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

    </input>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Temporarily, remove the depends attribute, add another token to the done handler and put that token in the label

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false">
      <label>Do not use $hiddenToken$</label>
      <delimiter>,</delimiter>
      <fieldForLabel>shardaccount</fieldForLabel>
      <fieldForValue>shard</fieldForValue>
      <search>
        <query>
          index=****** shard IN ("*") | search shard!=0 AND shard!=-1
          | stats count as result by shard
          | sort -result
          | head 5
          | stats values(shard) as returnshards
        </query>
        <done>
          <eval token="form.shardToken">$result.returnshards$</eval>
          <eval token="shardToken">$result.returnshards$</eval>
          <eval token="hiddenToken">$result.returnshards$</eval>
        </done>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
    </input>
0 Karma

jprovenzale
Explorer

Hi,

I made those changes but as shown in the attachment, no label is displayed.
When the mouse hovers over it, it is not even selectable.
So does that mean it is not actually executing?

Dashboard.jpeg



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not showing because these fields do not exists in the search

      <fieldForLabel>shardaccount</fieldForLabel>
      <fieldForValue>shard</fieldForValue>

This doesn't mean that the search didn't execute. You could change them both to returnshards

The other thing you could try is to slow down the process so that the hidden search completes later.

          <eval token="hiddenToken">mvjoin($result.returnshards$,",")</eval>

I noticed I had done this in my example dashboard which you don't have in yours.

 

0 Karma

jprovenzale
Explorer

Hi,

 

I made those changes but still no good. I did do one thing though that proves that the code is reached. The label for the hidden multi-select was “Do not use $hiddenToken$. This did not produce a label when run.  I removed the $hiddenToken$ and rerun. The label “Do not use” was then displayed.

This tells me that $hiddenToken is not being set and by definition, neither is $result.returnshards$.
Current code is below.

  </init>

  <fieldset submitButton="true" autoRun="true">

    <input type="multiselect" token="shardToken" searchWhenChanged="false">

      <label>Shards</label>

      <delimiter>,</delimiter>

      <fieldForLabel>shardaccount</fieldForLabel>

      <fieldForValue>shard</fieldForValue>

      <search>

        <query>| inputlookup ShardList.csv

| eval shardaccount=shard + " - " + account</query>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

      <change>

        <condition match="$accountselectedToken$==&quot;True&quot;">

          <set token="accountselectedToken">False</set>

        </condition>

        <condition>

          <set token="accountToken">"*"</set>

        </condition>

      </change>

    </input>

    <input type="multiselect" token="doNotUseToken" searchWhenChanged="false">

      <label>Do not use $hiddenToken$</label>

      <delimiter>,</delimiter>

      <fieldForLabel>$result.returnshards$</fieldForLabel>

      <fieldForValue>$result.returnshards$</fieldForValue>

      <search>

        <query>

          index=whatever shard IN ("*") | search shard!=0 AND shard!=-1

          | stats count as result by shard

          | sort -result

          | head 5

          | stats values(shard) as returnshards

        </query>

        <done>

          <eval token="form.shardToken">$result.returnshards$</eval>

          <eval token="shardToken">$result.returnshards$</eval>

          <eval token="hiddenToken">mvjoin($result.returnshards$,",")</eval>

        </done>

        <earliest>@d</earliest>

        <latest>now</latest>

      </search>

    </input>  

0 Karma

jprovenzale
Explorer

Hi,

It is actually working now. It just took about 5 minutes to run the query. I am very surprised it took that long because running the same query in a search executes fairly quickly.

 

Thanks for your extreme patience and assistance. Very much appreciated.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...