Dashboards & Visualizations

How to set a token based on search results?

troyward
Explorer

I have an dropdown input that allows a user to select a user name:

  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="DisplayUsername" searchWhenChanged="true">
      <search id="base_0">
        <query>
          | inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername
        </query>
        <earliest>0</earliest>
      </search>
      <label>User</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
    </input>
  </fieldset>

This provides me a token with the users Display Name which I need. But I also need to then get the team that the user belongs to which is in the same lookup table as the initial search. My first idea was to create a new token that is set with the dropdown's Change event like this:

      <change>
        <set token="tok_Team">| inputlookup ctf_users 
          | search DisplayUsername = "Tommy Tiertwo" 
          | fields Team</set>
      </change>

But when I do that, the token is actually set to the search string itself and not the result. Any ideas?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@troyward,

Try this and adjust the searches according to your fields and indexes

<form>
  <label>Token Based On Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="DisplayUsername">
      <label>DisplayUsername</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <search>
        <query>| inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$this_token_is_not_set_at_anytime$">
      <table>
         <search>
            <query> inputlookup ctf_users| search DisplayUsername="$DisplayUsername$"|fields Team </query>
            <earliest>-15m</earliest>
            <latest>now</latest>            
            <done>
              <set token="Department">$result.Team$</set>
            </done>
        </search>
      </table>
    </panel>
    <panel>
      <title>$DisplayUsername$   : $Department$</title>
      <table>
        <search>
          <query>index="your index" user="$DisplayUsername$" Department="$Department$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@troyward,

Try this and adjust the searches according to your fields and indexes

<form>
  <label>Token Based On Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="DisplayUsername">
      <label>DisplayUsername</label>
      <fieldForLabel>DisplayUsername</fieldForLabel>
      <fieldForValue>DisplayUsername</fieldForValue>
      <search>
        <query>| inputlookup users | fields DisplayUsername | dedup DisplayUsername | sort DisplayUsername</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$this_token_is_not_set_at_anytime$">
      <table>
         <search>
            <query> inputlookup ctf_users| search DisplayUsername="$DisplayUsername$"|fields Team </query>
            <earliest>-15m</earliest>
            <latest>now</latest>            
            <done>
              <set token="Department">$result.Team$</set>
            </done>
        </search>
      </table>
    </panel>
    <panel>
      <title>$DisplayUsername$   : $Department$</title>
      <table>
        <search>
          <query>index="your index" user="$DisplayUsername$" Department="$Department$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

woodcock
Esteemed Legend

Line #19 is missing a leading pipe, right?

troyward
Explorer

Worked perfect. Wish there was a cleaner way to do it, but either way...thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...