Dashboards & Visualizations

Saved Searches With Tokens

Motivator

I wonder if someone may be able to help me please.

I have the following 'Saved Accelerated Search' which I use as a data source in a dahsboard.

index=main auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
  | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
  | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
  | rex field="detail.input-ida-request" "\"dateOfBirth\":{\"value."\:"\"(?<idaDOB>[^\"]+)"
  | rex field="detail.input-ida-request" "\"lines\":\[\"(?<Street>[^\"]+)\",\"(?<Town>[^\"]+)\",\"(?<Country>[^\"]+)\""
  | rex field="detail.input-ida-request" "\"postCode\":\"(?<idaPCode>[^\"]+)"
  | rex field="detail.input-ida-request" "\"NationalInsuranceNumber\":\"(?<idaNINO>[^\"]+)"
  | rex field="detail.input-ida-request" "\"SUT\":\"(?<idaSUT>[^\"]+)"
  | eval date=idaDOB | eval idaDOB=replace(idaDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1") 
  | fillnull value="Not Provided" idaFName idaSName idaDOB idaAddress idaPCode idaSUT idaNINO
  | eval idaFullName= idaFName." ".idaSName 
  | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".Street." ".Town." ".Country.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
  | makemv delim=", " idaFull_Details
  | rex field="detail.output-cid-response" "\"firstName\":\"(?<cidFName>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"lastName\":\"(?<cidSName>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"dateOfBirth\":\"(?<cidDOB>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"sutr\":\"(?<cidSUT>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"nino\":\"(?<cidNINO>[^\"]+)" 
  | rex field="detail.output-errors" "(?<ErrorCode>[^\][]+)" 
  | fillnull value="Not Provided" ErrorCode cidFName cidSName cidDOB cidSAUTR cidNINO
  | rex mode=sed field=cidDOB "s/(\d\d)(\d\d)(\d\d\d\d)/\1\/\2\/\3/g" 
  | eval generatedAt=strptime(generatedAt, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d/%b/%Y %H:%M" ctime(generatedAt)
  | eval cidFull_Details= "Firstname: ".cidFName.", Surname: ".cidSName.", DOB: ".cidDOB.", NINO: ".cidNINO.", SUT: ".cidSUT 
  | makemv delim=", " cidFull_Details
  | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt | rename idaFullName TO "Customer Name", idaFull_Details TO "Customer Details", cidFull_Details TO "Cid Response", ErrorCode TO "Error Code", generatedAt TO "Date and Time of Submission"

On the dashboard I have a drop-down menu with a list of users names with the token "username"

Then on a separate panel I have created a table of results.

What I'd like to do is filter the table of results by matching the token "username" with the field "idaFullName".

I have tried these lines in my dashboard without success:

 <searchString>| savedsearch "Digital Verify and Match" | where idaFullName="$username$"</searchString>
 <searchString>| savedsearch "Digital Verify and Match"  idaFullName="$username$"</searchString>

Many thanks and kind regards

Chris

0 Karma

Esteemed Legend

You saved the search, but did you schedule it? There is a difference! If the search is not scheduled to run automatically, there will be no data to load.

0 Karma

Motivator

Ah, that's interesting, because I thought from something I read in the 'Splunk Cookbook' book I have that ''saved searches' update automatically every 10 minutes?

In addition, I can use the saved search without the 'username' drop down menu and it is returning the information.

Many thanks and kind regards

Chris

0 Karma

Communicator

Please, paste the configuration from the dropdown menu.

0 Karma

Motivator

Hi @slr, thank you for taking the time to come back to me with this.

This is the query for the drop down menu:

<input type="dropdown" token="username" searchWhenChanged="true">
      <label>Please Select the Customer Name</label>
      <search>
        <query>index=main auditSource="matching" auditType="Tx*" detail.input-ida-request="*" earliest=$DashboardTime.earliest$ latest=$DashboardTime.latest$                      
          | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?&lt;idaFName&gt;[^\"]+)"                
          | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?&lt;idaSName&gt;[^\"]+)"               
          | eval idaFullName= idaFName." ".idaSName             
          | stats dc(idaFullName) first(inOrOut) As inOrOut By idaFullName               
          | stats count by idaFullName</query>
      </search>
      <fieldForLabel>idaFullName</fieldForLabel>
      <fieldForValue>idaFullName</fieldForValue>
    </input>

Many thanks and kind regards

Chris

0 Karma

Communicator

Any problem with the population of the dropdown?

The saved search works properly if you launch it in the searcher?

0 Karma

Motivator

Hi @slr yes thank I know the query works perfectly in the searcher, that's the frustrating point to this 🙂

Many thanks and kind regards

Chris

0 Karma

Community Manager
Community Manager

Hi @IRHM73

Please do not post duplicates. If you are going to post a duplicate of a previous post, delete the older one first before posting to avoid clutter on the site. We don't want search results for users to be larger than it has to be, so please be considerate of the rest of the community trying to find answers to their questions as well.

0 Karma

Motivator

Hi @ppablo, my apologies, it's just that most forums want you to include previous posts out of courtesy to help those who may be able to potentially help by seeing what has already been posted. Could you please delete the post "Using Tokens With Saved Searches" as I'm unable to do this.

Many thanks and kind regards

Chris

0 Karma

Community Manager
Community Manager

No problem Chris, thanks for being thoughtful 🙂 If there are related/relevant posts related to one another, then it's fine to post links to reference them, but if it's a complete duplicate of a previous post by the same user, it's better that only one exists. If there were any significant notes in the answers/comments in the previous post, then I'd go ahead include that in the content of the new question.

Thanks!

Patrick

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!