Dashboards & Visualizations

dashboard token - if no results use LUT instead

splunkyouverymu
Explorer

Hi All,

I'm struggling to understand how to use a token to make one of the panels in my dashboard pull results from a LUT in the event the initial search returns no results.

Something like this:

<search>
 <query>index=userinfo homeowner=$name$ | stats values(address) as Address</query>
  <done>
    <condition match="'$job.resultCount$'=='0'">
    <set token="useLUT">|inputlookup userbase.csv where homeowner=$name$ |  stats values(address) as Address</set>
   </condition>
   <condition>
    <unset token="useLUT"></unset>
   </condition>
  </done>
</search>

Normally, in a search I would do this using appendpipe and stats count ==0 but I am trying to better understand tokens.

Could someone point me in the right direction? The only examples I can find online are to hide panels if resultcount==0

0 Karma
1 Solution

DalJeanis
Legend

I've never seen the acronym "LUT" here in splunkland. I assume you mean lookup table.

Here's what I'd do...

index=userinfo homeowner=$name$ 
| stats values(address) as Address by homeowner
| append [
    | inputlookup userbase.csv where homeowner=$name$ 
    | stats values(address) as Address by homeowner
    ]
| head 1
| table Address

The above query pulls the data from both the index and the lookup, in that order. The head 1 command lets only the first record through. That way, the search does all the work, and your dashboard doesn't have to have any logic in it at all.

View solution in original post

DalJeanis
Legend

I've never seen the acronym "LUT" here in splunkland. I assume you mean lookup table.

Here's what I'd do...

index=userinfo homeowner=$name$ 
| stats values(address) as Address by homeowner
| append [
    | inputlookup userbase.csv where homeowner=$name$ 
    | stats values(address) as Address by homeowner
    ]
| head 1
| table Address

The above query pulls the data from both the index and the lookup, in that order. The head 1 command lets only the first record through. That way, the search does all the work, and your dashboard doesn't have to have any logic in it at all.

splunkyouverymu
Explorer

Hi DalJeanis - yes by LUT I meant lookup table. Thanks for clarifying that - LUT is a common term in my little bubble so I assumed it was everywhere 🙂

Thanks for the answer, and it does implement what I requested in this particular example and is similar to how I have done it in the past (though this is a better method).

One of my concerns with implementing this logic within the query is that my dashboards can have upwards of 10 panels/queries that need to perform this same function. Our lookup file is large and takes a long time to load, so I was hoping to to create a base search that loads the lookup file. Then in each query that fails to find data in the search index, I can use the token to run the base search and pull the needed lookup data if the original search has a resultcount==0.

It sounded more efficient to me to load the lookup one time, and then use the token functionality to revert to that base search rather than loading the lookup over and over in each panel. I'm not sure if Splunk is smart enough to know I'm loading the same lookup 10 times in the same dashboard and therefore only load it once. If it is then I am happy to stick with this in-query logic.

0 Karma

DalJeanis
Legend

@splunkyouverymuch -

Then do the same thing - create a base search that filters the lookup table to produce a single record, save the sid for that search, and then concatenate the record on the end of each of the other searches by using |loadjob

splunkyouverymu
Explorer

Ah, beautiful. Thanks!

niketn
Legend

@splunkyouverymuch you may have misunderstood tokens and their usage in Splunk. Could you please elaborate your usecase for us to assist you better?

In case there are values() in your index=userinfo homeower="name", then you want to display the same. If no values returned from index you need to pull the same from lookup file. Is this correct?

Following are sources for you to pick up on learning about Tokens in Splunk:

  1. Splunk Docs Token Usage in Dashboards
  2. Splunk Docs Token Reference
  3. Splunk Docs Event Handler Reference
  4. Splunk .Conf 2017 Sessions on Tokens by Splunk Trust members @martin_mueller and @rjthibod
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

splunkyouverymu
Explorer

Hi Niket! Yes, your understanding is correct. I want to pull my values() from my search index and display them in he dashboard, but if that index has no values - I want to pull the same data out of my lookup file.

I've gone through the resources you shared already and struggle to make the connection. What I want to do is explicitly listed as a use case of dashboard tokens:

You can set search tokens for a dashboard to display search job metadata or to control dashboard behavior.

There are many ways to use search tokens. Here are some example use cases.

Including a search result count in a visualization title.
If a search returns no results, run a different search or hide the panel.
Hide or show panels if a search fails.

I basically want to implement tokens to do that 2nd use case listed.

if:
index=userinfo homeowner=$name$ | stats values(address) as Address
returns no results, I want to run a different search instead:
|inputlookup userbase.csv where homeowner=$name$ | stats values(address) as Address
and populate that same stats table as the first search tried to populate.

Every example or user discussion I can find online is always about hiding the panel with depends rather than specifying a new search to run.

Does that make more sense? I appreciate your help!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...