help for linking my request with a token

jip31 · ‎01-04-2019

hi
i use the request below and I want to link it with a token
my token is called "tok_filterhost" and I add host=$tok_filterhost$" in my query in order to have a result if the host is good and no result if the host is bad
but I have no results
could you help me please??

eventtype="DiskHealthSize" 
| dedup host 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval Value = round(Value, 1) 
| eval TotalSpace = TotalSpaceKB/1024 
| eval TotalSpace = round(TotalSpace/1024,1). " MB" 
| rename Value as Free_Space 
| eval Free_Space= if(Free_Space>15, "GOOD", "BAD") 
| table Free_Space

niketn · ‎01-04-2019

@jip31 the query you have posted in your question performs | table Free_Space command in the end. Which implies it drops the host field which is possibly why your search filter with | where host="$tok_filterhost$" is not working.

Since you are using loadjob to return the results of saved search "admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details", either you need to change the saved search to add host to final output or created a new saved search with both host and Free_Space returned as result. In any case saved search final pipe should be the following:

 | table host Free_Space

In your actual dashboard you can post-processing to show only FreeSpace without host name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎01-06-2019

thanks it works

renjith_nair · ‎01-04-2019

@jip31, where did you add the token? Do you mind sharing the xml part where the token is assigned and added?

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎01-04-2019

yes but it doesnt works

here is the xml

<form>
  <label>Hard Disk</label>
  <description>Disk health checking - Slot time : 30 days</description>
  <fieldset submitButton="true">
    <input type="text" searchWhenChanged="true" token="tok_filterhost">
      <label>HostName</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Disk Remaining Space Status</title>
      <html depends="$alwaysHideCSSStylePanel$">
       <style>
          #singleWithCSSOverride1 svg.svg-container rect{
             fill: $tokColor1$ !important;
           #singleWithCSSOverride2 svg.svg-container rect{
             fill: $tokColor2$ !important;
           }
        </style>
       </html>
      <single id="singleWithCSSOverride1">
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Disk Remaining Space Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Disk Health Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <format type="color" field="Status">
          <colorPalette type="map">{"OK":#3863A0}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>

renjith_nair · ‎01-04-2019

What are the fields in the result of savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details". Does it have host field?

---
What goes around comes around. If it helps, hit it with Karma 🙂

help for linking my request with a token

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

help for linking my request with a token

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025