Splunk Search

How to set a token from a base search in my dashboard to be consumed in an HTML panel?

swe
Path Finder

hi there,

I want to display an image based on the result of a search. My dashboard has a "base search" which is used in multiple visualizations on the dashboard:

    <search id="BaseSearch">
        <query>  
.... | stats last(_time) as latest BY    current_observation.display_location.city    current_observation.dewpoint_c   current_observation.feelslike_c    current_observation.icon_url   current_observation.image.url   current_observation.weather  
      </query>
        <earliest>$tok_time.earliest$</earliest>
        <latest>$tok_time.latest$</latest>
        <finalized>
                   <set token="tok_wimg">$result.current_observation.icon_url$</set>
        </finalized>     
      </search>

.... and an html panel:

  <html>
   $tok_wimg$
  </html>

When executing the dashboard, I see that the html panel shows:

$result.current_observation.icon_url$

but not the content, so I guess that:

a) setting the token does not work like this?
or
b) I need to find a way to render the html panel when the search has finished?

Do you have any suggestions?

thanks
steve

1 Solution

renjith_nair
Legend

Hello Steve,

You just need to include a condition for matching and set the token. for eg: below is a working example

<dashboard>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <finalized >
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_wimg">$result.sourcetype$</set>
                     </condition>
                     <condition>
                            <set token="tok_wimg">No result found</set>
                     </condition>
          </finalized >           
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <h1>$tok_wimg$</h1>
    </html>
    </panel>
  </row>
</dashboard>

The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.

See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

Hello Steve,

You just need to include a condition for matching and set the token. for eg: below is a working example

<dashboard>
  <label>TEST</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* |stats count by sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <finalized >
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_wimg">$result.sourcetype$</set>
                     </condition>
                     <condition>
                            <set token="tok_wimg">No result found</set>
                     </condition>
          </finalized >           
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <h1>$tok_wimg$</h1>
    </html>
    </panel>
  </row>
</dashboard>

The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.

See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers

---
What goes around comes around. If it helps, hit it with Karma 🙂

woodcock
Esteemed Legend

How does anybody consider this a valid answer? The question specifically asks says from a base search. There is no base search in this answer. What am I missing.

shalomsuresh
Explorer

Is there a different method when its on base search?

0 Karma

mmcg
Explorer

This is great, thanks a bunch!

0 Karma

justdaveconsult
Engager

THANK YOU! I was trying so hard just to wrap text for a SingleElement and messing with so much stuff... this was so much easier. Thank you so much.

0 Karma

swe
Path Finder

hi renjith.nair,

your example works. thanks!

thanks
steve

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...