Can you have a token inside a token?

a238574 · ‎02-13-2018

I am using a static dropdown list that has 2 options. The values for the 2 drop-down options are slightly different queries. I use this token in the panel definition to set the query. The original queries were defined using a token from a text field that allowed the user to enter an account id to only see the output for a particular account. Is it possible to define the value of the drop-down token/variable to contain and get updates when the text field is updated? I have set defaults for both and when used separately work just fine.

  <input type="dropdown" token="SearchV1" searchWhenChanged="true">
    <label>Search by Account/AMI</label>
    <choice value="Search string for query which includes another token $AccountAMIId$">List by Account</choice>
    <choice value="Search string for query which includes another token $AccountAMIId$">List by  AMI</choice>
    <default>List by Account Search string for query which includes token $AccountAMIId$"</default>
  </input>

I have modified the Panel to use the Dropdown value as the search string but when I look at the resulting search the token inside the search string has not been replaced with the value of the token

<query>$SearchV1$</query>

Can this be done?

worshamn · ‎05-29-2018

The answer is yes you can but you have to wrap it inside of <![CDATA[Search string for query which includes another token $AccountAMIId$]]> AND that has to be a value that is not an attribute to the element (at least I haven't figured out how to get that to work with this but this way does see below). This so that it is interpreted as character data. See https://answers.splunk.com/answers/138803/set-token-in-the-value-of-another-token.html
Here is how I do it, I set a dummy token, and change based on the choice:

<input type="dropdown" token="SearchV1_dummy" searchWhenChanged="true">
  <label>Search by Account/AMI</label>
  <choice value=“List by Account">List by Account</choice>
  <choice value="List by  AMI">List by  AMI</choice>
  <default>List by Account"</default>
  <change>
    <condition value="List by Account">
       <set token="SearchV1"><![CDATA[search string with token $AccountAMIId$]></set>
    </condition>
    <condition value="List by AMI">
       <set token="SearchV1”>…so on and so forth
    </condition>
 </input>

UPDATE-- I'd like to note that I find this very finicky and often doesn't work. I've resorted to instead commenting out parts of the search with tokens (setting a token for the beginning of the comment and one for the end) that way the original token I wanted replaced is part of the original search and consistently gets set.

ansif · ‎02-16-2018

If I understood your question correctly,use the below example,where the search query is based on the token.

<form>
  <label>Exchange Frequent Report Request</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime">
      <label>Select Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tokHost">
      <label>Select Host</label>
      <default>ABCD.com</default>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=msexchange | dedup host
| sort host
| table host</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="report">
      <label>Reports</label>
      <choice value="cpu">CPU</choice>
      <choice value="memory">Memory</choice>
      <choice value="read">Logical Disk Sec/Read</choice>
      <choice value="write">Logical Disk Sec/Write</choice>
      <default>cpu</default>
      <change>
        <condition value="cpu">
          <set token="cpu_show">true</set>
          <unset token="memory_show"></unset>
          <unset token="read_show"></unset>
          <unset token="write_show"></unset>
        </condition>
        <condition value="memory">
          <unset token="cpu_show">true</unset>
          <set token="memory_show"></set>
          <unset token="read_show"></unset>
          <unset token="write_show"></unset>
        </condition>
        <condition value="read">
          <unset token="cpu_show">true</unset>
          <unset token="memory_show"></unset>
          <set token="read_show"></set>
          <unset token="write_show"></unset>
        </condition>
        <condition value="write">
          <unset token="cpu_show">true</unset>
          <unset token="memory_show"></unset>
          <unset token="read_show"></unset>
          <set token="write_show"></set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart depends="$cpu_show$">
        <title>CPU Utilization</title>
        <search>
          <query>index="perfmon" collection="CPU" counter="% Processor Time" host="$tokHost$" | bucket _time span=1h | timechart usenull=f span=1h avg(Value) as avg_CPU by host useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="height">275</option>
      </chart>
      <chart depends="$memory_show$">
        <title>Memory Free Percentage</title>
        <search>
          <query>index=windows tag=oshost tag=performance tag=memory host="$tokHost$" | timechart usenull=f span=1h avg(mem_free_percent) as mem_free_percent by host useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="height">300</option>
      </chart>
      <chart depends="$read_show$">
        <title>Average Disk sec/Read</title>
        <search>
          <query>index=perfmon sourcetype="Perfmon:LogicalDisk" counter="Avg. Disk sec/Read" host="$tokHost$" | timechart avg(Value) by instance useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="height">448</option>
      </chart>
      <chart depends="$write_show$">
        <title>Average Disk sec/Write</title>
        <search>
          <query>index=perfmon sourcetype="Perfmon:LogicalDisk" counter="Avg. Disk sec/Write" host="$tokHost$" | timechart avg(Value) by instance useother=false limit=0</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="height">318</option>
      </chart>
    </panel>
  </row>
</form>

a238574 · ‎02-22-2018

Your example is not really what I am doing. I am trying to use a nested token. I have a drop down that lets you select one of 2 searches. That token from the dropdown is used in the panel definition query. I want to use a token inside each of the queries. The token inside the query never gets interpreted.

Can you have a token inside a token?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor