help for linking my request with a token

jip31 · ‎01-04-2019

hi
i use the request below and I want to link it with a token
my token is called "tok_filterhost" and I add host=$tok_filterhost$" in my query in order to have a result if the host is good and no result if the host is bad
but I have no results
could you help me please??

eventtype="DiskHealthSize" 
| dedup host 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval Value = round(Value, 1) 
| eval TotalSpace = TotalSpaceKB/1024 
| eval TotalSpace = round(TotalSpace/1024,1). " MB" 
| rename Value as Free_Space 
| eval Free_Space= if(Free_Space>15, "GOOD", "BAD") 
| table Free_Space

niketn · ‎01-04-2019

@jip31 the query you have posted in your question performs | table Free_Space command in the end. Which implies it drops the host field which is possibly why your search filter with | where host="$tok_filterhost$" is not working.

Since you are using loadjob to return the results of saved search "admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details", either you need to change the saved search to add host to final output or created a new saved search with both host and Free_Space returned as result. In any case saved search final pipe should be the following:

 | table host Free_Space

In your actual dashboard you can post-processing to show only FreeSpace without host name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎01-06-2019

thanks it works

renjith_nair · ‎01-04-2019

@jip31, where did you add the token? Do you mind sharing the xml part where the token is assigned and added?

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎01-04-2019

yes but it doesnt works

here is the xml

<form>
  <label>Hard Disk</label>
  <description>Disk health checking - Slot time : 30 days</description>
  <fieldset submitButton="true">
    <input type="text" searchWhenChanged="true" token="tok_filterhost">
      <label>HostName</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Disk Remaining Space Status</title>
      <html depends="$alwaysHideCSSStylePanel$">
       <style>
          #singleWithCSSOverride1 svg.svg-container rect{
             fill: $tokColor1$ !important;
           #singleWithCSSOverride2 svg.svg-container rect{
             fill: $tokColor2$ !important;
           }
        </style>
       </html>
      <single id="singleWithCSSOverride1">
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Disk Remaining Space Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Disk Health Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <format type="color" field="Status">
          <colorPalette type="map">{"OK":#3863A0}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>

renjith_nair · ‎01-04-2019

What are the fields in the result of savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details". Does it have host field?

---
What goes around comes around. If it helps, hit it with Karma 🙂

help for linking my request with a token

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

help for linking my request with a token

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future