Dashboards & Visualizations

Set a number of tokens from a base search in a dashboard to be consumed as needed in other panels

mjones414
Contributor

This seems like it would be straightforward enough based on the documentation, but I have been completely unsuccessful at implementing this method.  Basically I am setting up an interactive dashboard where someone provides an ID in one of a few different valid formats.  From there, I  want to normalize all the potential ID's associated in the different sources for that user and pull together a set of panels from otherwise isolated systems.  

 

 

 

 <search id="User_Lookup">
    <query>|inputlookup user_inventory.csv" | $ACCT_TYPE|s$| fields *</query>
    <done>
      <condition match="'$result.doneProgress$' = 1">
      <set token="tok_email">$result.dv_email$</set>
      <set token="tok_altId">$result.dv_u_AltId$</set>
      <set token="tok_samact">$result.dv_u_logonid$</set>
      <set token="tok_sso">$result.dv_u_sso$</set>
      </condition>
    </done>
  </search>
 <title>Top 10 External Email destinations.</title>
        <search>
          <query>sourcetype=stash   source="summary_mailstuffs" src_user=$tok_email$
| top 10 dest_email</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>

 

 

 

 

But the dashboard never appears to recognize that $tok_email$ is being set from the base search.  I am 100% certain the field and value exist in the base search.  Where am I going wrong?

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Could it be that when the done handler runs $result.doneProgress$ is not 1?

0 Karma

mjones414
Contributor

Its possible, but what I did was looked at a successful run of the search's job properties and pull whatever the value was on completion.  Even with no conditions defined, it still doesn't seem to populate the token at any time.

0 Karma

mjones414
Contributor

What I'm ultimately trying to accomplish above is the ability to present someone with a text box where they can type in an ID.  The ID can be in one of three formats in this case.  I handle what kind of id it is by the following inputs:

<fieldset submitButton="false">
    <input type="text" token="ACCT_NAME" searchWhenChanged="true">
      <label>Account Name</label>
      <default></default>
      <prefix></prefix>
      <suffix></suffix>
    </input>
    <input type="radio" token="ACT_TYPE" searchWhenChanged="true">
      <label>Account Type</label>
      <choice value="where dv_u_altId=$ACCT_NAME$">AltID</choice>
      <choice value="where dv_u_logonid=$ACCT_NAME$">sAMAccountName</choice>
      <choice value="where dv_u_sso=$ACCT_NAME$">User Principal Name</choice>
    </input>
  </fieldset>

 

The choices then complete the base search above and return three fields.  I want to make the value of those fields tokens for search panels in the rest of the dashboard. 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...