Dashboard - How to set default value for token to ...

stucky101 · ‎08-03-2022

Hey Gurus

I have a conundrum here regarding a Dashboard Studio board I'm working on to show Infoblox zone transaction details.

I'm trying to write queries that allow for either passing a grid site name or leave it blank and show global stats. Normally, the default value for a token is "*" and that works perfectly with splunk's host wildcard.

However, for some reason, you decided to use a different wildcard for the "where like" function, that being "%". This messes up a query I have when not passing a value for site. Fe. the following query works out as desired when I pass token "sf01-ibsn-c01n" for macro_site:

where new_serial="$macro_serial$" AND like(client_resolved, "$macro_site$%")

It interpolates it as :

where new_serial="2654170934" AND like(client_resolved, "sf01-ibsn-c01n%")

Of course, when I don't pass a site, the query turns into garbage:

where new_serial="2654170934" AND like(client_resolved, "*%")

I cannot change the default value to "%", since now the host wildcard is messed up. I basically need either two conditional defaults or, perhaps, some dash/xml logic to deal with this ?

Any help would be appreciated.

Thank you !

stucky101 · ‎08-04-2022

Answering my own question here. I fixed it. Didn't realize that "search" can also take k/v so I dont even need "where" at all. Luckily, "search" takes regular wildcards 🙂

| search client_resolved="$macro_site$*"

Dashboard - How to set default value for token to two different values, depending on query?

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!