Search code examples
splunksplunk-dashboard

Use Tokens in Dashboard Panel Query

I am trying to build a dashboard where a user selects a value from a drop down and based on the value selected, multiple panels are populated. Once a value is selected, i need to lookup some values corresponding to it and then use those looked up values in a query to populated the panels. Here is my minimized dashboard code -

<form>
  <label>ZZ_Test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="groupToken">
      <label>Group</label>
      <choice value="group1">group1</choice>
      <choice value="group2">group2</choice>
      <choice value="group3">group3</choice>
      <default>group1</default>
      <change>
        <set token="itemToken">|makeresults count=1|eval b="$groupToken$"|lookup mycsv.csv group as b OUTPUT item AS items|eval items=mvjoin(items,",")|fields items</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=myIndex|search items IN ($itemToken$)</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <search>
          <query>$itemToken$</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

This does not work as itemToken gets replaced with its query within my main query and that causes a malformed query to be formed, I need itemToken to only be evaluated once whenever the drop down value changes and then for me to be able to use it in any of my queries, but instead it appears that the itemToken is evalulated in place wherever it is used.

In this dashboard, the second panel is getting populated with the result of the itemToken query, but the first panel fails because of the malformed query. How do i go about solving this ?

Solution

  • The <set> element assigns a literal value to a token. It cannot execute a search query.

    Consider setting the token using a base search. Run your query in a <search> element and set the token using <done>.

    <form>
  <label>ZZ_Test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="groupToken">
      <label>Group</label>
      <choice value="group1">group1</choice>
      <choice value="group2">group2</choice>
      <choice value="group3">group3</choice>
      <default>group1</default>
    </input>
  </fieldset>
  <search id="setitemtoken">
    <query>|makeresults count=1|eval b="$groupToken$"|lookup mycsv.csv group as b OUTPUT item AS items|eval items=mvjoin(items,",")|fields items</query>
    <done>
      <set token="itemToken">$results.items$</set>
    </done>
  </search>
  <row>
    <panel>
      <single>
        <search>
          <query>index=myIndex|search items IN ($itemToken$)</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</form>