Dashboards & Visualizations

Saved Searches With Tokens

IRHM73
Motivator

I wonder if someone may be able to help me please.

I have the following 'Saved Accelerated Search' which I use as a data source in a dahsboard.

index=main auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
  | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
  | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
  | rex field="detail.input-ida-request" "\"dateOfBirth\":{\"value."\:"\"(?<idaDOB>[^\"]+)"
  | rex field="detail.input-ida-request" "\"lines\":\[\"(?<Street>[^\"]+)\",\"(?<Town>[^\"]+)\",\"(?<Country>[^\"]+)\""
  | rex field="detail.input-ida-request" "\"postCode\":\"(?<idaPCode>[^\"]+)"
  | rex field="detail.input-ida-request" "\"NationalInsuranceNumber\":\"(?<idaNINO>[^\"]+)"
  | rex field="detail.input-ida-request" "\"SUT\":\"(?<idaSUT>[^\"]+)"
  | eval date=idaDOB | eval idaDOB=replace(idaDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1") 
  | fillnull value="Not Provided" idaFName idaSName idaDOB idaAddress idaPCode idaSUT idaNINO
  | eval idaFullName= idaFName." ".idaSName 
  | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".Street." ".Town." ".Country.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
  | makemv delim=", " idaFull_Details
  | rex field="detail.output-cid-response" "\"firstName\":\"(?<cidFName>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"lastName\":\"(?<cidSName>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"dateOfBirth\":\"(?<cidDOB>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"sutr\":\"(?<cidSUT>[^\"]+)" 
  | rex field="detail.output-cid-response" "\"nino\":\"(?<cidNINO>[^\"]+)" 
  | rex field="detail.output-errors" "(?<ErrorCode>[^\][]+)" 
  | fillnull value="Not Provided" ErrorCode cidFName cidSName cidDOB cidSAUTR cidNINO
  | rex mode=sed field=cidDOB "s/(\d\d)(\d\d)(\d\d\d\d)/\1\/\2\/\3/g" 
  | eval generatedAt=strptime(generatedAt, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d/%b/%Y %H:%M" ctime(generatedAt)
  | eval cidFull_Details= "Firstname: ".cidFName.", Surname: ".cidSName.", DOB: ".cidDOB.", NINO: ".cidNINO.", SUT: ".cidSUT 
  | makemv delim=", " cidFull_Details
  | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt | rename idaFullName TO "Customer Name", idaFull_Details TO "Customer Details", cidFull_Details TO "Cid Response", ErrorCode TO "Error Code", generatedAt TO "Date and Time of Submission"

On the dashboard I have a drop-down menu with a list of users names with the token "username"

Then on a separate panel I have created a table of results.

What I'd like to do is filter the table of results by matching the token "username" with the field "idaFullName".

I have tried these lines in my dashboard without success:

 <searchString>| savedsearch "Digital Verify and Match" | where idaFullName="$username$"</searchString>
 <searchString>| savedsearch "Digital Verify and Match"  idaFullName="$username$"</searchString>

Many thanks and kind regards

Chris

0 Karma

woodcock
Esteemed Legend

You saved the search, but did you schedule it? There is a difference! If the search is not scheduled to run automatically, there will be no data to load.

0 Karma

IRHM73
Motivator

Ah, that's interesting, because I thought from something I read in the 'Splunk Cookbook' book I have that ''saved searches' update automatically every 10 minutes?

In addition, I can use the saved search without the 'username' drop down menu and it is returning the information.

Many thanks and kind regards

Chris

0 Karma

slr
Communicator

Please, paste the configuration from the dropdown menu.

0 Karma

IRHM73
Motivator

Hi @slr, thank you for taking the time to come back to me with this.

This is the query for the drop down menu:

<input type="dropdown" token="username" searchWhenChanged="true">
      <label>Please Select the Customer Name</label>
      <search>
        <query>index=main auditSource="matching" auditType="Tx*" detail.input-ida-request="*" earliest=$DashboardTime.earliest$ latest=$DashboardTime.latest$                      
          | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?&lt;idaFName&gt;[^\"]+)"                
          | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?&lt;idaSName&gt;[^\"]+)"               
          | eval idaFullName= idaFName." ".idaSName             
          | stats dc(idaFullName) first(inOrOut) As inOrOut By idaFullName               
          | stats count by idaFullName</query>
      </search>
      <fieldForLabel>idaFullName</fieldForLabel>
      <fieldForValue>idaFullName</fieldForValue>
    </input>

Many thanks and kind regards

Chris

0 Karma

slr
Communicator

Any problem with the population of the dropdown?

The saved search works properly if you launch it in the searcher?

0 Karma

IRHM73
Motivator

Hi @slr yes thank I know the query works perfectly in the searcher, that's the frustrating point to this 🙂

Many thanks and kind regards

Chris

0 Karma

ppablo
Retired

Hi @IRHM73

Please do not post duplicates. If you are going to post a duplicate of a previous post, delete the older one first before posting to avoid clutter on the site. We don't want search results for users to be larger than it has to be, so please be considerate of the rest of the community trying to find answers to their questions as well.

0 Karma

IRHM73
Motivator

Hi @ppablo, my apologies, it's just that most forums want you to include previous posts out of courtesy to help those who may be able to potentially help by seeing what has already been posted. Could you please delete the post "Using Tokens With Saved Searches" as I'm unable to do this.

Many thanks and kind regards

Chris

0 Karma

ppablo
Retired

No problem Chris, thanks for being thoughtful 🙂 If there are related/relevant posts related to one another, then it's fine to post links to reference them, but if it's a complete duplicate of a previous post by the same user, it's better that only one exists. If there were any significant notes in the answers/comments in the previous post, then I'd go ahead include that in the content of the new question.

Thanks!

Patrick

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...