Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tokens to filter dbxquery output

sochsenbein
Communicator
‎06-12-2019 03:46 PM

On my dashboard, I have a report that runs a Stored Procedure using dbxquery. I have added a dropdown input on the dashboard to allow the client to filter out data returned by the Stored Procedure, however, tokens do not appear to be working with dbxquery.

The following, without a token, filters out the table just fine:

| dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE" 
| where ProductType="PRODUCT123" 
| table ProductType ProductName ProductQuantity ProductID

However, when using a token, it returns nothing:

| dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE" 
| where ProductType=$ProductTypeFilter$ 
| table ProductType ProductName ProductQuantity ProductID

I have tried using quotes around the token, using search instead of where, and using match/like commands.

UPDATE: I changed the Stored Procedure to take in an argument, however, I still cannot get the token to be passed through.

Works:

| dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE @ProductTypeFilter = 'PROD'"

Does not work:

| dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE @ProductTypeFilter = '$ProductTypeFilter$'"
0 Karma
Reply

niketn
Legend
‎06-12-2019 06:18 PM

[UPDATED ANSWER]

Added run anywhere example to show that token is set/unset properly. I have used | search ProductID="$tokProductID$" in the example.

<form>
  <label>Filter by token</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="dropdown" token="tokProductID" searchWhenChanged="true">
        <label>Product ID</label>
        <choice value="1234">Apple</choice>
        <choice value="2345">Banana</choice>
        <default>1234</default>
      </input>
      <table>
        <search>
          <query>| makeresults
| eval _raw="ProductType=\"fruit\" ProductName=\"apple\" ProductQuantity=\"good\" ProductID=\"1234\""
| append [| makeresults
| eval _raw="ProductType=\"fruit\" ProductName=\"banana\" ProductQuantity=\"bad\" ProductID=\"2345\""]
| KV
| fields - _*
| search ProductID="$tokProductID$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

@sochsenbein Seems like token is not passed to Stored procedure. You are trying to filter results in Splunk. Ideally you should pass parameter to SP so that only required results are fetched.

However, for the time being, try one of the following

1) string escaped token |s$

 | dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE "
 | where ProductType=$ProductTypeFilter|s$ 
 | table ProductType ProductName ProductQuantity ProductID

2) double quotes wrapped token

 | dbxquery connection=THE_DATABASE query="EXEC DATABASE..STORED_PROCEDURE "
 | where ProductType="$ProductTypeFilter$" 
 | table ProductType ProductName ProductQuantity ProductID

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sochsenbein
Communicator
‎06-13-2019 09:51 AM

@niketnilay I tried both of these methods before posting, but forgot to mention I tried the "|s" method, sorry. The "|s" results in the error message "Unknown search command 's'. But I do agree, it'd be better to just pass the token to the Stored Procedure.

0 Karma
Reply

niketn
Legend
‎06-13-2019 09:59 AM

Can you change |where to |search and try?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sochsenbein
Communicator
‎06-13-2019 10:13 AM

@niketnilay in my post I mentioned that I tried that haha.

"I have tried using quotes around the token, using search instead of where, and using match/like commands."

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...