Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use a token in the value of an input?

jeffland
SplunkTrust
SplunkTrust
‎11-04-2015 04:40 AM

Hi. I have a dashboard with a panel on top that displays some data, grouped by a selected field (selected through an input). Below that panel, there is another panel which displays a chart containing the aggregated values from the data in the top panel.
In that second panel, I would like to be able to give the user an option to show additional data, to see how the aggregated values compare relative to something. For that, I have another input to select between absolute and relative display of the data. Since the relative aspect is dependent of the field selected in the upper panel, I'd like to use the token from above in the value.
In case this sounds too complicated, here is some xml to demonstrate:

<!--first row-->
<row>
  <panel>
    <input type="dropdown" token="token_a" searchWhenChanged="true">
      <choice value="foo">foo</choice>
      <choice value="foo_max">foo_max</choice>
      ...
      <table>
        ...
<!--second row-->
<row>
  <panel>
    <input type="dropdown" token="token_b" searchWhenChanged="true">
      <choice value="| stats count by bucket">Absolute</choice>
      <choice value="| stats count by bucket | join bucket [search host=bar | bucket $token_a$ as bucket ...]">Relative</choice>
      ...
        <table>
          <search>
            <query>some_searching $token_b$

I hope this explains what I want to do. The problem is that apparently, you can't use a token in the value of an input (the second choice of the second row), as this will be translated literally and thus result in a search that contains the command "| bucket $token_b$ as bucket".
I have tried replacing the dollars with double dollars and escaping the dollars with a backslash, which both didn't work (the token is replaced literally, so the search is then "| bucket $$token_b$$ as bucket" or "| bucket \$token_b\$ as bucket"). I also tried placing the value of the input in CDATA brackets, which only breaks the xml.

So how do I do this? Is this possible at all? I know I could split up token_b to multiple parts, create them with a couple of change - condition - set lines and fiddle everything back together in the search of the second row, but that is error prone and hard to maintain.

Any input appreciated!

Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-14-2017 11:07 AM

The answer is no, you can't or shouldn't use a token in the value definition of another token. It will not update the way you want.

Instead, you have to usually build different displays for the variations you want and toggle the visible displays, or you have to build the flexibility into the query string such that it is split up into parts and more flexible to the variations you want.

You have not shared all of your XML, so I can't give you a working option. Still, the answer is you can't do what you want so you have to build one of the variations I described.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-06-2017 01:46 PM

I disagree with the other answer. I have always used values from preceding inputs in search terms for the rest of inputs, e.g.,

    <input type="dropdown" token="source_tok" searchWhenChanged="true">
      <label>Source</label>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>index=main
| stats count by source</query>
        <earliest>-1d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="host_tok" searchWhenChanged="true">
      <label>Host</label>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=main source=$source_tok$
       | stats count by host</query>
        <earliest>-1d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎11-06-2017 02:40 PM

You are missing the use case in the original question. The issue is not the use of tokens in the search element of an input - something I do all the time as well. The issue is the use of the token in the choice element of the input, because the choice elements actual value is only interpreted once. This does not work as the questioner wants. Neither does it work in prefix, suffix, valueSuffix, or valuePrefix elements.

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-14-2017 11:07 AM

The answer is no, you can't or shouldn't use a token in the value definition of another token. It will not update the way you want.

Instead, you have to usually build different displays for the variations you want and toggle the visible displays, or you have to build the flexibility into the query string such that it is split up into parts and more flexible to the variations you want.

You have not shared all of your XML, so I can't give you a working option. Still, the answer is you can't do what you want so you have to build one of the variations I described.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...