Splunk Enterprise

What's the value of a token if is not set in an input?

AleCanzo
Explorer

Hi everyone,
What's the value of a token if is not set in an input? An empty string, null() or?
I was trying to do something like:
| eval user=if(isnull("$user_token$"), user, "$user_token$"), but it doesn't work.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

As @ITWhisperer points out, the token has no value so your search won't run at all to get to that point.

If you want to always have a token so you search will run, you should set the default for the token to something, even if it's just the empty string, i.e. <default></default> but then your SPL would be

| eval user=if(len($user_token|s$)=0, user, $user_token|s$)

i.e. it checks for length of 0 in the  input. Note the use of $user_token|s$, i.e. with a |s before the final $ sign which effectively quotes the token.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

As @ITWhisperer points out, the token has no value so your search won't run at all to get to that point.

If you want to always have a token so you search will run, you should set the default for the token to something, even if it's just the empty string, i.e. <default></default> but then your SPL would be

| eval user=if(len($user_token|s$)=0, user, $user_token|s$)

i.e. it checks for length of 0 in the  input. Note the use of $user_token|s$, i.e. with a |s before the final $ sign which effectively quotes the token.

 

moorte
Explorer

The other thing you can do without installing an app is to go into the xml and create an html tag

<row>
<html>
Value of token1 = $token1$
Value of token2 = $otken2$
</html>
</row>

I may have shorthanded the html tags, but basically everytime the token changes the token value will be displayed in that html tag.  Really easy way to keep track of the token value.  If you need a default token value look into using the <set> function in tokens.  

But @ITWhisperer was spot on when he said that when a token is not set it is neither empty nor null.  

LAME-Creations
SplunkTrust
SplunkTrust

No app necessary and doesn't need javascript.  Works on a post.  This is the way to go.  Using an app is not a bad method, but sometimes you have to go through a change control board or you use splunk cloud.  Using an HTML Tag will work as long as you have edit rights to the dashboard, which you should if you are coding the dashboard.  

LAME-Creations
SplunkTrust
SplunkTrust

The following youtube video shows this tactic

Master Splunk Dashboards: Expert Guide to Troubleshooting Tokens!

it is at about the 7 minute mark of the video.  

<row>
<panel>
<html>
your code
</html>
</panel>
</row>

isoutamo
SplunkTrust
SplunkTrust
No need to use html tags. You could add those into title etc. But when you have lot of those and you will set and unset those based on buttons, clicks etc. then this approach doesn’t work anymore.

isoutamo
SplunkTrust
SplunkTrust

When you are playing with tokens in SXML, you should install this app https://classic.splunkbase.splunk.com/app/1603/

Then add this into your forms.

<form version="1.1" theme="light" script="simple_xml_examples:showtokens.js">

After this it shows all tokens what you have and what are their values like

isoutamo_0-1750343208310.png

When I add ip, but didn't press submit

isoutamo_1-1750343253792.png

isoutamo_2-1750343273087.png

After submit is pressed.

https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf

 

richgalloway
SplunkTrust
SplunkTrust

An unset token has no value, but it is not null, either.  It's as though the token doesn't exist.

Splunk will not execute a query if any of the tokens within it are undefined.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

If a token is not set, the dashboard will wait until the token is set before proceeding to evaluate the search.

What is your usecase? Perhaps there may be a better way to approach this?

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...