Passing tokens to pivot dashboard

cyndiback · ‎03-27-2014

Passing tokens to a pivot dashboard:

Using simple xml I created a dashboard with a dropdown selector.

All my dashboard panels were created with a pivot search.

When creating the search I added the token $host$ into the filter and saved the dashboard.

The dashboard works as expected

Is there any unintended consequences with using pivot this way?

Dropdown search:

 <populatingSearch fieldForValue="selected_host" fieldForLabel="selected_host">
    <![CDATA[| pivot WebCampus_Access webcampus_authentication SPLITROW host AS "selected_host" SORT 100 host]]>
  </populatingSearch>

Dashboard searcH:

 <searchString>| pivot WebCampus_Access webcampus_authentication count(evt_code) AS "Count of event_code" SPLITROW _time AS "_time" PERIOD auto SPLITCOL host FILTER  evt_code = 0 FILTER host is $selected_host$ SORT 0 _time NUMCOLS 100</searchString>

dfoster_splunk · ‎03-31-2014

Is there any unintended consequences with using pivot this way?

I shouldn't think so. Using tokens in search strings is very well supported.

Only trouble you might run into is if $selected_host$ contains spaces. Then you'd probably want to actually search-escape it using $selected_host|s$

nmouli · ‎03-08-2017

Hi -

If i use the token for SPLITCOL variable by using FILTER inside pivot command it's working but if i pass the token for SPLITCOL variable by using search or where or fields or table outside pivot command it is not working. can you please advise?

Working Eg: | pivot datamodelname rootobject SPLITROW field1 SPLITCOL field2 FILTER field2 is "$tok_field2$" NUMCOLS 500 | where field1="xyz"

Not working Eg : | pivot datamodelname rootobject SPLITROW field1 SPLITCOL field2 NUMCOLS 500 | where field1="xyz" | table field1 "$tok_field2$"

Passing tokens to pivot dashboard

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk