Hi, I initialize a token with a value (number in hex) and use this token in search. However, the dashboard still asks for input? My XML is below. Please advise. Thanks in advance.
Query Details by Day Clone
Distribution of count and response by host per day
<set token="InQueryHash">b6ffee0d1c4f18ba</set>
<panel>
<table>
<title>Query latency per host per hour</title>
<search>
<query>(splunk_server_group=default OR splunk_server_group=distapps) (index=distapps)
sourcetype="aa:bb" organizationId="cc" pname=dd.214 Request action=query
runTime>0 (respCode=200 OR respCode=408)
queryHash=$InQueryHash$
| bucket _time span=1h
| eval Date=strftime(_time,"%m/%d/%y %H:%M:%S")
| stats count(host) as querycount
avg(runTime) as avgtime
min(runTime) as mintime
max(runTime) as maxtime
perc95(runTime) as perc95time
perc50(runTime) as medtime
stdev(runTime) as stddevtime
by host, _time</query>
<earliest>1529798400</earliest>
<latest>1530403199</latest>
</search>
</table>
</panel>
Try the Developer Gadgets App
to help you see exactly what all of your tokens are all of time time:
@Cuonghuutran just to add, <init>
section to initialize token is available from Splunk version 6.5 onward. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Guidelines
So you would need to run an independent search otherwise to set this value to initialize in case you are not on version 6.5 or above.
For example following will set the token to a default value using a dummy search query
<!-- Independent Search to default token value in a dashboard -->
<search>
<query>| makeresults
</query>
<finalized>
<set token="InQueryHash">b6ffee0d1c4f18ba<>
</finalized>
</search>
PS: <finalized>
search event handler got replaced with <done>
from version 6.5 and higher. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Search_event_handlers
Change Splunk Version in the Documentation link to look at documentation specific to your Splunk Version.
Also <init>
section does not work on HTML Dashboards where you would need to use the concept of independent search again.
Thanks @niketnilay my Splunk version is indeed 6.3.2. Your solution works. Thanks @niketnilay, @poete, and @woodcock for your input. I will try Developer Gadgets App later.
@Cuonghuutran as mentioned earlier, since you are on a Splunk version less than 6.5, your would need to use a dummy search with finalized
search event handler to default the token value on loading the dashboard.
I have converted my comment to answer. Please accept to mark this question as answered.
Accepted and upvoted. Thanks again everyone.
You accepted the wrong one! Maybe mine was helpful and deserved an UpVote
, but @niketnilay had the good stuff with the real answer.
Don't forget to click Accept
on the answer to close the question and click on some UpVotes
, too!
Hello @Cuonghuutran,
just a few questions:
<set token="InQueryHash">b6ffee0d1c4f18ba</set>
located in the <init></init>
of the dashboard? A previous search?$InQueryHash$
in the title of the table? This is faster than installing the Developper Gadget App
, but less powerful.Try the Developer Gadgets App
to help you see exactly what all of your tokens are all of time time: