How to pass a token in one dashboard that will imp...

smanojkumar · ‎03-31-2023

Hi There,

I had a panel "OS", that gives the value os,

based on the value of os,

if it were "Windows" it should display a panel "defender version", not "Agent version"

If it were "MAC" it should display "Agent version", not "defender version"

I don't need drop down by selecting the values in "OS" panel, The os values wants to make impact on choosing the panel.

Thanks in Advance!

ITWhisperer · ‎03-31-2023

Please share what you currently have i.e. what searches and panels have you already created?

smanojkumar · ‎03-31-2023

Hi @ITWhisperer ,

The pannel "OS" is

| inputlookup lookupfilekvstore
| fields name, os
| search name IN ($name$)
| table os

, the panel when os="Windows"

| inputlookup lookupfilekvstore
| fields name, defender
| search name IN ($name$)
| table defender

, the panel when os="MAC" OR "OS - X"

| inputlookup lookupfilekvstore
| fields name, agent
| search name IN ($name$)
| table agent

ITWhisperer · ‎03-31-2023

If you are using SimpleXML dashboards, you can add a done handler to the first search which sets tokens depending on the os, and have depends attributes on the Windows and Mac panels to show them as appropriate.

smanojkumar · ‎04-02-2023

Hi @ITWhisperer ,

Can you please help me in adding the done handler in the search,

Thanks!

ITWhisperer · ‎04-02-2023

  <search>
    <query>
| inputlookup lookupfilekvstore
| fields name, os
| search name IN ($name$)
| table os
    </query>
    <done>
      <eval token="osname">$result.os$</eval>
    </done>
  </search>

smanojkumar · ‎04-07-2023

I tried using, I'm having some error, here is the full query
I need Agent version panel when os is "MAC" or "OS X" or "IOS" , i need defender sig version if the os is "windows" or "windows 7" or "windows*"

<form theme="dark">
  <label> ASSET STATUS</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="category" searchWhenChanged="true">
      <label>Category</label>
      <choice value="work">Work</choice>
      <choice value="auto">Auto</choice>
      <choice value="server">Server</choice>
      <search>
        <query/>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>work</default>
      <change>
        <condition value="work">
          <set token="Work">"Work"</set>
          <unset token="Auto"></unset>
        </condition>
        <condition value="auto">
          <set token="Auto">"Auto"</set>
          <unset token="Work"></unset>
        </condition>
        <condition value="server">
          <set token="Server">"Server"</set>
          <unset token="Work"></unset>
          <unset token="Auto"></unset>
        </condition>
      </change>
    </input>
    <input type="text" token="src_name" searchWhenChanged="true">
      <label>src_name</label>
      <default>*</default>
    </input>
  </fieldset>
<row>
              <panel>
      <title>OS</title>
      <single>
        <search>
          <query>| inputlookup $category$_sanity_check_kvstore
| fields src_name, os
| search src_name IN ($src_name$)
| table os</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
</row>
<row>
    <panel depends="$Work$">
      <title>Defender Sig Version</title>
      <single>
        <search>
          <query>| inputlookup $category$_sanity_check_kvstore
| fields src_name, defender_sig_version_check
| search src_name IN ($src_name$)
| table defender_sig_version_check</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Agent Version</title>
      <single>
        <search>
          <query>| inputlookup $category$_sanity_check_kvstore
| fields agentVersion_value,base_agentVersion_value, src_name
| search src_name IN ($src_name$)
| eval edr_mac_check=if(agentVersion_value&gt;=base_agentVersion_value,3,0)
| table edr_mac_check</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>

ITWhisperer · ‎04-07-2023

How does this implement the suggestions made?

smanojkumar · ‎04-07-2023

Error in the sense, how to select panel based on the output of OS, I need that as well, we are done with passing the result and need help to select panel based on the output of OS

How to pass a token in one dashboard that will impact other panel based on values?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to pass a token in one dashboard that will impact other panel based on values?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine