Dashboards & Visualizations

Can you have a token inside a token?

a238574
Path Finder

I am using a static dropdown list that has 2 options. The values for the 2 drop-down options are slightly different queries. I use this token in the panel definition to set the query. The original queries were defined using a token from a text field that allowed the user to enter an account id to only see the output for a particular account. Is it possible to define the value of the drop-down token/variable to contain and get updates when the text field is updated? I have set defaults for both and when used separately work just fine.

  <input type="dropdown" token="SearchV1" searchWhenChanged="true">
    <label>Search by Account/AMI</label>
    <choice value="Search string for query which includes another token $AccountAMIId$">List by Account</choice>
    <choice value="Search string for query which includes another token $AccountAMIId$">List by  AMI</choice>
    <default>List by Account Search string for query which includes token $AccountAMIId$"</default>
  </input>

I have modified the Panel to use the Dropdown value as the search string but when I look at the resulting search the token inside the search string has not been replaced with the value of the token

<query>$SearchV1$</query>

Can this be done?

worshamn
Contributor

The answer is yes you can but you have to wrap it inside of <![CDATA[Search string for query which includes another token $AccountAMIId$]]> AND that has to be a value that is not an attribute to the element (at least I haven't figured out how to get that to work with this but this way does see below). This so that it is interpreted as character data. See https://answers.splunk.com/answers/138803/set-token-in-the-value-of-another-token.html
Here is how I do it, I set a dummy token, and change based on the choice:

<input type="dropdown" token="SearchV1_dummy" searchWhenChanged="true">
  <label>Search by Account/AMI</label>
  <choice value=“List by Account">List by Account</choice>
  <choice value="List by  AMI">List by  AMI</choice>
  <default>List by Account"</default>
  <change>
    <condition value="List by Account">
       <set token="SearchV1"><![CDATA[search string with token $AccountAMIId$]></set>
    </condition>
    <condition value="List by AMI">
       <set token="SearchV1”>…so on and so forth
    </condition>
 </input>

UPDATE-- I'd like to note that I find this very finicky and often doesn't work. I've resorted to instead commenting out parts of the search with tokens (setting a token for the beginning of the comment and one for the end) that way the original token I wanted replaced is part of the original search and consistently gets set.

ansif
Motivator

If I understood your question correctly,use the below example,where the search query is based on the token.

<form>
  <label>Exchange Frequent Report Request</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label>Select Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tokHost">
      <label>Select Host</label>
      <default>ABCD.com</default>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=msexchange | dedup host
| sort host
| table host</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="report">
      <label>Reports</label>
      <choice value="cpu">CPU</choice>
      <choice value="memory">Memory</choice>
      <choice value="read">Logical Disk Sec/Read</choice>
      <choice value="write">Logical Disk Sec/Write</choice>
      <default>cpu</default>
      <change>
        <condition value="cpu">
          <set token="cpu_show">true</set>
          <unset token="memory_show"></unset>
          <unset token="read_show"></unset>
          <unset token="write_show"></unset>
        </condition>
        <condition value="memory">
          <unset token="cpu_show">true</unset>
          <set token="memory_show"></set>
          <unset token="read_show"></unset>
          <unset token="write_show"></unset>
        </condition>
        <condition value="read">
          <unset token="cpu_show">true</unset>
          <unset token="memory_show"></unset>
          <set token="read_show"></set>
          <unset token="write_show"></unset>
        </condition>
        <condition value="write">
          <unset token="cpu_show">true</unset>
          <unset token="memory_show"></unset>
          <unset token="read_show"></unset>
          <set token="write_show"></set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart depends="$cpu_show$">
        <title>CPU Utilization</title>
        <search>
          <query>index="perfmon" collection="CPU" counter="% Processor Time" host="$tokHost$" | bucket _time span=1h | timechart usenull=f span=1h avg(Value) as avg_CPU by host useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="height">275</option>
      </chart>
      <chart depends="$memory_show$">
        <title>Memory Free Percentage</title>
        <search>
          <query>index=windows tag=oshost tag=performance tag=memory host="$tokHost$" | timechart usenull=f span=1h avg(mem_free_percent) as mem_free_percent by host useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="height">300</option>
      </chart>
      <chart depends="$read_show$">
        <title>Average Disk sec/Read</title>
        <search>
          <query>index=perfmon sourcetype="Perfmon:LogicalDisk" counter="Avg. Disk sec/Read" host="$tokHost$" | timechart avg(Value) by instance useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="height">448</option>
      </chart>
      <chart depends="$write_show$">
        <title>Average Disk sec/Write</title>
        <search>
          <query>index=perfmon sourcetype="Perfmon:LogicalDisk" counter="Avg. Disk sec/Write" host="$tokHost$" | timechart avg(Value) by instance useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="height">318</option>
      </chart>
    </panel>
  </row>
</form>
0 Karma

a238574
Path Finder

Your example is not really what I am doing. I am trying to use a nested token. I have a drop down that lets you select one of 2 searches. That token from the dropdown is used in the panel definition query. I want to use a token inside each of the queries. The token inside the query never gets interpreted.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...