Dashboards & Visualizations

Passing tokens to pivot dashboard

cyndiback
Path Finder

Passing tokens to a pivot dashboard:


  • Using simple xml I created a dashboard with a dropdown selector.

  • All my dashboard panels were created with a pivot search.

  • When creating the search I added the token $host$ into the filter and saved the dashboard.

  • The dashboard works as expected
  • Is there any unintended consequences with using pivot this way?

    Dropdown search:

     <populatingSearch fieldForValue="selected_host" fieldForLabel="selected_host">
        <![CDATA[| pivot WebCampus_Access webcampus_authentication SPLITROW host AS "selected_host" SORT 100 host]]>
      </populatingSearch>
    

    Dashboard searcH:

     <searchString>| pivot WebCampus_Access webcampus_authentication count(evt_code) AS "Count of event_code" SPLITROW _time AS "_time" PERIOD auto SPLITCOL host FILTER  evt_code = 0 FILTER host is $selected_host$ SORT 0 _time NUMCOLS 100</searchString>
    
    0 Karma

    dfoster_splunk
    Splunk Employee
    Splunk Employee

    Is there any unintended consequences with using pivot this way?

    I shouldn't think so. Using tokens in search strings is very well supported.

    Only trouble you might run into is if $selected_host$ contains spaces. Then you'd probably want to actually search-escape it using $selected_host|s$

    0 Karma

    nmouli
    Explorer

    Hi -

    If i use the token for SPLITCOL variable by using FILTER inside pivot command it's working but if i pass the token for SPLITCOL variable by using search or where or fields or table outside pivot command it is not working. can you please advise?

    Working Eg: | pivot datamodelname rootobject SPLITROW field1 SPLITCOL field2 FILTER field2 is "$tok_field2$" NUMCOLS 500 | where field1="xyz"

    Not working Eg : | pivot datamodelname rootobject SPLITROW field1 SPLITCOL field2 NUMCOLS 500 | where field1="xyz" | table field1 "$tok_field2$"

    0 Karma
    Get Updates on the Splunk Community!

    What’s New in Splunk App for PCI Compliance 5.3.1?

    The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

    Extending Observability Content to Splunk Cloud

    Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

    What's new in Splunk Cloud Platform 9.1.2312?

    Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...