I am using Splunk 6.4.4.
The dashboard is a form and I am editing the source in the dashboard XML editor.
Here is code snippets showing how I am creating and using the tokens:
<input type="dropdown" token="" searchWhenChanged="true">
<label>Data Display Detail:</label>
<choice value="1">Level 1</choice>
<choice value="2">Level 2</choice>
<choice value="3">Level 3</choice>
<default>1</default>
<initialValue>1</initialValue>
<change>
<condition value="1">
<set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, db_user | where 'Failures'> 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, db_user</set>
<set token="token_level">1</set>
<set token="token_fields"></set>
</condition>
<condition value="2">
<set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, dest_ip, dest_host, db_name, db_user | where 'Failures'> 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, dest_ip, dest_host, db_name, db_user</set>
<set token="token_level">2</set>
<set token="token_fields">"Destination IP Address", "Destination Server Name", "Database Name",</set>
</condition>
<condition value="3">
<set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user | where 'Failures'> 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user</set>
<set token="token_level">3</set>
<set token="token_fields">"Source IP Address", "OS User", "Source App", "Destination IP Address", "Destination Server Name", "Database Name",</set>
</condition>
</change>
</input>
<table>
<search base="access_violations">
<query>search $severity_tok$ $src_ip_tok$ $src_app_tok$ $os_user_tok$ $dest_ip_tok$ $db_name_tok$ $db_user_tok$ $include_user_type$ $exclude_user_type$ | $token_search$</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<drilldown>
<set token="showDetails">true</set>
<set token="event_time">$row.Event Time$</set>
<set token="source_ip">$row.Source IP$</set>
<set token="os_user">$row.OS User$</set>
<set token="src_app">$row.Source Application$</set>
<set token="dest_ip">$row.Destination IP$</set>
<set token="dest_host">$row.Destination Hostname$</set>
<set token="db_name">$row.Database Name$</set>
<set token="sql_command">$row.SQL Command$</set>
<set token="object_type">$row.Object Type$</set>
</drilldown>
<fields>[ "_time", $token_fields$ "Database User", "Violations", "Failures"]</fields>
</table>
NOTE: The tokens in the first part of the post-processing search are created by single-selection listboxes at the top of the dashboard form. The search works perfectly for what we want to report. The current iteration of the code lists all of the desired fields for the panel to display so when a lower level of detail is selected, the panel has not data for the unused columns. We are wanting to display only those columns that will contain data.
We are using the "fields" clause/module to limit what data to display but also allowing all of the search result fields to be available should the user decide to "Open in search" so they will not need to alter the search once it runs to remove the fields command to get all of the data.
... View more