Solved: Why am I unable to populate a token with the resul...

felipetavares · ‎03-01-2016

Hello there guys,

I'm trying to populate a token with the result of a search so I'm able to use this value at various other points of the Dashboard.
The search only has the field sourcetype at the end and it should populate the token "asas" with the sourcetype, based on the search result.
This search runs and I'm able to see that it have more than zero results, based on the Job monitor.

I'm using Splunk 6.2.2 and I was reading the "Search event handlers", but couldn't make it work.

The point is that this token never gets the data set into it, maybe you someone could help me?

Dashboard code:

<dashboard>
  <label>Test Validation - $asas$</label>
  <search>
    <query>index=oneshot | head 1 | fields sourcetype</query>
    <finalized>
      <set token="asas">results.sourcetype</set>
      <condition match=" 'job.resultCount' >= 0">
        <set token="show_html">true</set>
      </condition>
      <condition>
        <unset token="show_html"></unset>
      </condition>
    </finalized>
  </search>
  <row>
    <panel>
      <title>testeeeee $asas$</title>
      <table>
        <search>
          <query>index="oneshot" search |head 1 | eval teste=$show_html$ | eval gethim=$asas$ | table GrupoNome2,gethim</query>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>asasasas</title>
      <html>
        <center>teste - $asas$</center>
      </html>
    </panel>
  </row>
</dashboard>

somesoni2 · ‎03-01-2016

Replace this

 <set token="asas">results.sourcetype</set>

with

 <set token="asas">$result.sourcetype$</set>

View solution in original post

somesoni2 · ‎03-01-2016

Replace this

 <set token="asas">results.sourcetype</set>

with

 <set token="asas">$result.sourcetype$</set>

felipetavares · ‎03-03-2016

Hello there @somesoni2, I did it but it didn't work either.
I was searching and I think that I will need version 6.3+ for this to work. Do you know if I'm right? :x

Vimalsekar · ‎09-01-2017

Hi,
I have a similar problem, my token $URL$ is not being set with values..the same query is working fine in another dashboard...My Splunk version 6.5.2

<query>index=MyIndex sourcetype=MySourceType  
| eval URLink = case(ENV=="PROD", "zzz.yy.xx", 1=1, "zzz-".ENV.".yy.xxx") | head 1 | table ENV URLink</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<!--<done>
  <set token="Env">$result.ENV$</set>
  <set token="URLink">$result.URLink$</set>
</done> -->
 <finalized>
    <condition>
      <set token="URL">$result.URLink$</set>
    </condition>
 </finalized>

somesoni2 · ‎09-01-2017

The event handler have been updated in Splunk 6.5.x, see this for updated list of event handlers available. http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/EventHandlerReference#Search_event_handlers

somesoni2 · ‎03-04-2016

Thats correct. The option finalized for search is only available for 6.3.x version.

Vimalsekar · ‎09-01-2017

Hi @somesoni2, can u pls help me on my question above...

Why am I unable to populate a token with the result of a search with my current Simple XML?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

Why am I unable to populate a token with the result of a search with my current Simple XML?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...