How to convert splunk dashboard panel with dynamic...

karthi2809 · ‎05-28-2024

Hi All,

I have a Splunk dashboard with dynamic token, Here a simplified example of my setup. In the dashboard $new_value$ and $env$ are dynamic token that user can select. I want to convert this panel into report that can accommodate these dynamic values. Could you guide me how to achieve this ?.I need to understand. Any details steps or examples would be greatly appreciated.

Base Query:
index=Test environment=$env$ applicationName=$new_value$ 
 | stats values(content.InterfaceName) as InterfaceName values(content.payload) as payloadFile values(content.ErrorMsg) as  errormsg  values(content.Error) as error BY  applicationName,correlationId
| table  Status Timestamp InterfaceName ApplicationName  CorrelationId
| search  interfaceName=$new_interface$ 

Panel Query with dynamic tokens:
 <search base="BankSearch">
          <query>| where Status LIKE ("$countStatus$")|sort -Timestamp</query></search>

gcusello · ‎05-28-2024

Hi @karthi2809,

for my knowledge, reports are static objects and you cannot pass a token to a report.

Why do you want to do this?

if it's to accelerate searches, use other methods as Data_nodels or Summary indexes.

Ciao.

giuseppe

karthi2809 · ‎05-28-2024

Hi @gcusello

Thanks for the reply. Actually i want to improve my dashboard performance. So i try to convert as report. But as you said its static. So if i use summary index or data model we can pass token ?any sample data model .And both will consume license right?

gcusello · ‎05-28-2024

Hi @karthi2809,

Yes, you can pass a token to a search based on DataModels or Summary Indexes.

Both of them don't consume license.

Ciao.

Giuseppe

How to convert splunk dashboard panel with dynamic token in reports?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?