Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tokens in Base and Chain searches in Dashboard studio?

mjones414
Contributor
‎01-17-2022 02:53 PM

I'm still struggling getting some basic xml tokenization concepts working in Dashboard studio.

I have a simple text box input someone types into.  from there, I want that to set a token that I use in the base search.  Next thing I want to do is take a field value pair in the results and set the value in a token to use in another panel thats going to fill in a URL and grab an image

so:

Base ds_lrth34 datasource:

Textbox -> Chain Search off ds_lrth34 that runs 

 

 

 

.. | fields MyField

 

 

 

I want to do something that I would have otherwise done this way in simple XML:

 

 

 

<set token="myField">$result.MyField$</set>

 

 

 

 but I havent found a structure to make this work at all so that when I create an image viz I could do something like this:

 

 

"visualizations": {
		"viz_TRhGkelt": {
			"type": "viz.img",
			"options": {
				"src": "https://myCompany.sharepoint.com/_layouts/15/userphoto.aspx?AccountName=$MyField$&Size=L"
			}
		}
	},

 

 


This is heavily utilized methodology in our simple xml dashboards, I would love the right way to tokenize things like this in the new workflow.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

elizabethl_splu
Splunk Employee
Splunk Employee
‎09-16-2022 12:26 PM

@mjones414 @DG - I'm happy to share that as of Splunk Cloud 8.2.2203 and Splunk Enterprise 9.0.0, you can set token values from search results. You can see an example in this blog and in our docs

0 Karma
Reply

DG
Explorer
‎09-16-2022 02:02 PM

Thanks @elizabethl_splu , but I have already found these, I'm more interested in what @mjones414 asked. How can we store the whole search result in a token? Like this in Classic:

<search>
    <query>
      index="myIndex" event="login"
    </query>
    <done>
        <set token="Thing_One">$job.sid$</set>
    </done>
</search>

and I'm utilizing the loadjob command twice:

 

<panel>
      <single>
        <title>Number of Unique users</title>
        <search>
          <query>| loadjob "$Thing_One$" | stats dc(user_id) as "Unique users" 
          </query>
        </search>
        <option name="drilldown">none</option>
      </single>
 </panel>
<panel>
      <title>Unique users timeline</title>
      <chart>
        <search>
          <query>| loadjob "$Thing_One$" | timechart dc(user_id) as "Unique users timeline"</query>
        </search>
      </chart>
</panel>

 

This way the SVC consumption is about half the amount of running two individual queries.

I am asking because as our team measured (with Chargeback app for Splunk), in Dashboard Studio using 1 ds.search (base) with 2 chain searches (children) are consuming almost as much SVCs as 2 individual ds.searches. We thought that using chain searches will execute the same base only once, so the SVC consumption will be half of that. I would try loadjob in Dashboard Studio, but I could not load any ds.search's result. I tried several syntax from the page you linked. (loadjob $search name:job.sId$, $search name:result$, $search name:results$ etc.)

Thank you for your help!

 

0 Karma
Reply

elizabethl_splu
Splunk Employee
Splunk Employee
‎09-16-2022 03:58 PM

Seems like I can only upload one image per post, so here's an example of using loadjob:

elizabethl_splu_0-1663369103182.png

 

0 Karma
Reply

elizabethl_splu
Splunk Employee
Splunk Employee
‎09-16-2022 03:57 PM

Hey @DG ! A few things to check:

  1. $data source name:job.sid$ was added in 9.0.2205, so it was not part of the initial set of metadata supported when search tokens were first introduced in 8.2.2203
  2. Make sure you have this check box selected:
    elizabethl_splu_0-1663368935820.png
  3. "sid" should be all lowercase. I noticed in our docs, we have camel case "sId" and I'm working with our technical writer to update to all lowercase now

I've just tested this out in 9.0.2205 and can confirm that a ds.search with | loadjob $data source name:job.sid$ works

 

0 Karma
Reply

DG
Explorer
‎09-17-2022 03:20 AM

Hi @elizabethl_splu ,

Thank you very much! Ah, so the problem was with the case (sId) and as I see, we are on version: 8.2.2203.4 so I guess we have to wait to get to 9.0.2205 and test it 😮

I will get back to you if I tried it!

0 Karma
Reply

wryanthomas
Contributor
‎03-02-2022 12:12 PM

*really* need this functionality.  Any idea when it will become available?  @elizabethl_splu 

0 Karma
Reply

elizabethl_splu
Splunk Employee
Splunk Employee
‎03-02-2022 01:01 PM

Hi @wryanthomas - thanks for following up! We're actively developing enhancements for tokens support, and hope to have some updates to share with you soon! 

0 Karma
Reply

DG
Explorer
‎09-16-2022 05:27 AM

Hi @elizabethl_splu ,

Do you have any updates about this feature? Is it implemented and documented somewhere? Thank you in advance!

0 Karma
Reply

elizabethl_splu
Splunk Employee
Splunk Employee
‎02-02-2022 10:01 AM

Hi @mjones414 - thanks for your question.

What you're looking to do - use a search result as a token value - is not yet supported, but is actively being developed! 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...