Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use tokens to set values for fields in reports on a dashboard

masonwhite
Explorer
‎06-11-2018 12:13 PM

I have a series of reports that measure different statistics on network traffic, saved to a single dashboard. I want to have a text input that allows me to specify a subnet. I can get the query to run properly when i have the actual search inline with the dashboard but when referencing the report its like the token value is not getting passed to the report. I am thinking this is due to the dashboard pulling the report and so the report isnt getting passed any dashboard variables as the dashboard is only "ref" the report?

I can upload my xml if need be but i feel this is a simple yes or no capability question.

Tags (1)
0 Karma
Reply

masonwhite
Explorer
‎06-11-2018 12:19 PM

Token Set XML

    <input type="text" token="client_subnet">
      <label>client_subnet</label>
      <default>*</default>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

Inline search that works and is also the same code saved as a report 

<search>
          <query>index=my_index sourcetype=my_sourcetype dst=$client_subnet$ 
| top limit=5 src 
| iplocation src 
| eval percent=round(percent,2) 
| rename percent as Inbound Country as "Inbound Country" 
| appendcols 
    [ search index=my_index sourcetype=my_sourcetype src=$client_subnet$ 
    | top limit=5 dst 
    | iplocation dst 
    | eval percent=round(percent,2) 
    | rename percent as Outbound Country as "Outbound Country"] 
| table Inbound "Inbound Country" Outbound "Outbound Country" 
| fieldformat Inbound="%".Inbound 
| fieldformat Outbound="%".Outbound</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

Saved report being referenced on the dashboard that does not work with token

  <panel>
      <table>
        <title>Top 5 Directional Traffic by Country</title>
        <search ref="Top 5 Directional Traffic by Country"></search>
        <option name="drilldown">none</option>
      </table>
    </panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...