Dashboards & Visualizations

Set a number of tokens from a base search in a dashboard to be consumed as needed in other panels


This seems like it would be straightforward enough based on the documentation, but I have been completely unsuccessful at implementing this method.  Basically I am setting up an interactive dashboard where someone provides an ID in one of a few different valid formats.  From there, I  want to normalize all the potential ID's associated in the different sources for that user and pull together a set of panels from otherwise isolated systems.  




 <search id="User_Lookup">
    <query>|inputlookup user_inventory.csv" | $ACCT_TYPE|s$| fields *</query>
      <condition match="'$result.doneProgress$' = 1">
      <set token="tok_email">$result.dv_email$</set>
      <set token="tok_altId">$result.dv_u_AltId$</set>
      <set token="tok_samact">$result.dv_u_logonid$</set>
      <set token="tok_sso">$result.dv_u_sso$</set>
 <title>Top 10 External Email destinations.</title>
          <query>sourcetype=stash   source="summary_mailstuffs" src_user=$tok_email$
| top 10 dest_email</query>





But the dashboard never appears to recognize that $tok_email$ is being set from the base search.  I am 100% certain the field and value exist in the base search.  Where am I going wrong?

Labels (2)
0 Karma


Could it be that when the done handler runs $result.doneProgress$ is not 1?

0 Karma


Its possible, but what I did was looked at a successful run of the search's job properties and pull whatever the value was on completion.  Even with no conditions defined, it still doesn't seem to populate the token at any time.

0 Karma


What I'm ultimately trying to accomplish above is the ability to present someone with a text box where they can type in an ID.  The ID can be in one of three formats in this case.  I handle what kind of id it is by the following inputs:

<fieldset submitButton="false">
    <input type="text" token="ACCT_NAME" searchWhenChanged="true">
      <label>Account Name</label>
    <input type="radio" token="ACT_TYPE" searchWhenChanged="true">
      <label>Account Type</label>
      <choice value="where dv_u_altId=$ACCT_NAME$">AltID</choice>
      <choice value="where dv_u_logonid=$ACCT_NAME$">sAMAccountName</choice>
      <choice value="where dv_u_sso=$ACCT_NAME$">User Principal Name</choice>


The choices then complete the base search above and return three fields.  I want to make the value of those fields tokens for search panels in the rest of the dashboard. 🙂

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...