Dashboards & Visualizations

Set a number of tokens from a base search in a dashboard to be consumed as needed in other panels

mjones414
Contributor

This seems like it would be straightforward enough based on the documentation, but I have been completely unsuccessful at implementing this method.  Basically I am setting up an interactive dashboard where someone provides an ID in one of a few different valid formats.  From there, I  want to normalize all the potential ID's associated in the different sources for that user and pull together a set of panels from otherwise isolated systems.  

 

 

 

 <search id="User_Lookup">
    <query>|inputlookup user_inventory.csv" | $ACCT_TYPE|s$| fields *</query>
    <done>
      <condition match="'$result.doneProgress$' = 1">
      <set token="tok_email">$result.dv_email$</set>
      <set token="tok_altId">$result.dv_u_AltId$</set>
      <set token="tok_samact">$result.dv_u_logonid$</set>
      <set token="tok_sso">$result.dv_u_sso$</set>
      </condition>
    </done>
  </search>
 <title>Top 10 External Email destinations.</title>
        <search>
          <query>sourcetype=stash   source="summary_mailstuffs" src_user=$tok_email$
| top 10 dest_email</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>

 

 

 

 

But the dashboard never appears to recognize that $tok_email$ is being set from the base search.  I am 100% certain the field and value exist in the base search.  Where am I going wrong?

Labels (2)
0 Karma

ITWhisperer
Legend

Could it be that when the done handler runs $result.doneProgress$ is not 1?

0 Karma

mjones414
Contributor

Its possible, but what I did was looked at a successful run of the search's job properties and pull whatever the value was on completion.  Even with no conditions defined, it still doesn't seem to populate the token at any time.

0 Karma

mjones414
Contributor

What I'm ultimately trying to accomplish above is the ability to present someone with a text box where they can type in an ID.  The ID can be in one of three formats in this case.  I handle what kind of id it is by the following inputs:

<fieldset submitButton="false">
    <input type="text" token="ACCT_NAME" searchWhenChanged="true">
      <label>Account Name</label>
      <default></default>
      <prefix></prefix>
      <suffix></suffix>
    </input>
    <input type="radio" token="ACT_TYPE" searchWhenChanged="true">
      <label>Account Type</label>
      <choice value="where dv_u_altId=$ACCT_NAME$">AltID</choice>
      <choice value="where dv_u_logonid=$ACCT_NAME$">sAMAccountName</choice>
      <choice value="where dv_u_sso=$ACCT_NAME$">User Principal Name</choice>
    </input>
  </fieldset>

 

The choices then complete the base search above and return three fields.  I want to make the value of those fields tokens for search panels in the rest of the dashboard. 🙂

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!