Splunk Search

How to set a token from a base search in my dashboard to be consumed in an HTML panel?

swe
Path Finder

hi there,

I want to display an image based on the result of a search. My dashboard has a "base search" which is used in multiple visualizations on the dashboard:

    <search id="BaseSearch">
        <query>  
.... | stats last(_time) as latest BY    current_observation.display_location.city    current_observation.dewpoint_c   current_observation.feelslike_c    current_observation.icon_url   current_observation.image.url   current_observation.weather  
      </query>
        <earliest>$tok_time.earliest$</earliest>
        <latest>$tok_time.latest$</latest>
        <finalized>
                   <set token="tok_wimg">$result.current_observation.icon_url$</set>
        </finalized>     
      </search>

.... and an html panel:

  <html>
   $tok_wimg$
  </html>

When executing the dashboard, I see that the html panel shows:

$result.current_observation.icon_url$

but not the content, so I guess that:

a) setting the token does not work like this?
or
b) I need to find a way to render the html panel when the search has finished?

Do you have any suggestions?

thanks
steve

1 Solution

renjith_nair
Legend

Hello Steve,

You just need to include a condition for matching and set the token. for eg: below is a working example

<dashboard>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <finalized >
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_wimg">$result.sourcetype$</set>
                     </condition>
                     <condition>
                            <set token="tok_wimg">No result found</set>
                     </condition>
          </finalized >           
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <h1>$tok_wimg$</h1>
    </html>
    </panel>
  </row>
</dashboard>

The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.

See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

Hello Steve,

You just need to include a condition for matching and set the token. for eg: below is a working example

<dashboard>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <finalized >
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_wimg">$result.sourcetype$</set>
                     </condition>
                     <condition>
                            <set token="tok_wimg">No result found</set>
                     </condition>
          </finalized >           
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <h1>$tok_wimg$</h1>
    </html>
    </panel>
  </row>
</dashboard>

The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.

See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers

---
What goes around comes around. If it helps, hit it with Karma 🙂

woodcock
Esteemed Legend

How does anybody consider this a valid answer? The question specifically asks says from a base search. There is no base search in this answer. What am I missing.

shalomsuresh
Explorer

Is there a different method when its on base search?

0 Karma

mmcg
Explorer

This is great, thanks a bunch!

0 Karma

justdaveconsult
Engager

THANK YOU! I was trying so hard just to wrap text for a SingleElement and messing with so much stuff... this was so much easier. Thank you so much.

0 Karma

swe
Path Finder

hi renjith.nair,

your example works. thanks!

thanks
steve

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...