Getting Data In

How to use tokens in Base and Chain searches in Dashboard studio?

mjones414
Contributor

I'm still struggling getting some basic xml tokenization concepts working in Dashboard studio.

I have a simple text box input someone types into.  from there, I want that to set a token that I use in the base search.  Next thing I want to do is take a field value pair in the results and set the value in a token to use in another panel thats going to fill in a URL and grab an image

so:

Base ds_lrth34 datasource:

Textbox -> Chain Search off ds_lrth34 that runs 

 

 

 

.. | fields MyField

 

 

 

I want to do something that I would have otherwise done this way in simple XML:

 

 

 

<set token="myField">$result.MyField$</set>

 

 

 

 but I havent found a structure to make this work at all so that when I create an image viz I could do something like this:

 

 

"visualizations": {
		"viz_TRhGkelt": {
			"type": "viz.img",
			"options": {
				"src": "https://myCompany.sharepoint.com/_layouts/15/userphoto.aspx?AccountName=$MyField$&Size=L"
			}
		}
	},

 

 


This is heavily utilized methodology in our simple xml dashboards, I would love the right way to tokenize things like this in the new workflow.

Labels (1)
Tags (1)
0 Karma

elizabethl_splu
Splunk Employee
Splunk Employee

@mjones414 @DG - I'm happy to share that as of Splunk Cloud 8.2.2203 and Splunk Enterprise 9.0.0, you can set token values from search results. You can see an example in this blog and in our docs

0 Karma

DG
Explorer

Thanks @elizabethl_splu , but I have already found these, I'm more interested in what @mjones414 asked. How can we store the whole search result in a token? Like this in Classic:

<search>
    <query>
      index="myIndex" event="login"
    </query>
    <done>
        <set token="Thing_One">$job.sid$</set>
    </done>
</search>

and I'm utilizing the loadjob command twice:

 

<panel>
      <single>
        <title>Number of Unique users</title>
        <search>
          <query>| loadjob "$Thing_One$" | stats dc(user_id) as "Unique users" 
          </query>
        </search>
        <option name="drilldown">none</option>
      </single>
 </panel>
<panel>
      <title>Unique users timeline</title>
      <chart>
        <search>
          <query>| loadjob "$Thing_One$" | timechart dc(user_id) as "Unique users timeline"</query>
        </search>
      </chart>
</panel>

 

This way the SVC consumption is about half the amount of running two individual queries.

I am asking because as our team measured (with Chargeback app for Splunk), in Dashboard Studio using 1 ds.search (base) with 2 chain searches (children) are consuming almost as much SVCs as 2 individual ds.searches. We thought that using chain searches will execute the same base only once, so the SVC consumption will be half of that. I would try loadjob in Dashboard Studio, but I could not load any ds.search's result. I tried several syntax from the page you linked. (loadjob $search name:job.sId$, $search name:result$, $search name:results$ etc.)

Thank you for your help!

 

0 Karma

elizabethl_splu
Splunk Employee
Splunk Employee

Seems like I can only upload one image per post, so here's an example of using loadjob:

elizabethl_splu_0-1663369103182.png

 

0 Karma

elizabethl_splu
Splunk Employee
Splunk Employee

Hey @DG ! A few things to check:

  1. $data source name:job.sid$ was added in 9.0.2205, so it was not part of the initial set of metadata supported when search tokens were first introduced in 8.2.2203
  2. Make sure you have this check box selected:
    elizabethl_splu_0-1663368935820.png
  3. "sid" should be all lowercase. I noticed in our docs, we have camel case "sId" and I'm working with our technical writer to update to all lowercase now

I've just tested this out in 9.0.2205 and can confirm that a ds.search with | loadjob $data source name:job.sid$ works

 

0 Karma

DG
Explorer

Hi @elizabethl_splu ,

Thank you very much! Ah, so the problem was with the case (sId) and as I see, we are on version: 8.2.2203.4 so I guess we have to wait to get to 9.0.2205 and test it 😮

I will get back to you if I tried it!

0 Karma

wryanthomas
Contributor

*really* need this functionality.  Any idea when it will become available?  @elizabethl_splu 

0 Karma

elizabethl_splu
Splunk Employee
Splunk Employee

Hi @wryanthomas - thanks for following up! We're actively developing enhancements for tokens support, and hope to have some updates to share with you soon! 

0 Karma

DG
Explorer

Hi @elizabethl_splu ,

Do you have any updates about this feature? Is it implemented and documented somewhere? Thank you in advance!

0 Karma

elizabethl_splu
Splunk Employee
Splunk Employee

Hi @mjones414 - thanks for your question.

What you're looking to do - use a search result as a token value - is not yet supported, but is actively being developed! 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...