How to pass token from dashboard to a report

orion44 · ‎02-08-2019

I have a simple dashboard that I use to input an IP address to query a report I've saved.

   <form>
      <label>Syslog Data Search</label>
      <fieldset autoRun="true" submitButton="false">
        <input type="text" token="ip" searchWhenChanged="true">
          <label>IP address:</label>
          <default></default>
        </input>
      </fieldset>
      <row>
        <panel>
          <title>Syslog Report</title>
          <table>
            <search ref="Syslog Report"></search>
            <drilldown>
              <link target="_blank">https://whois.domaintools.com/$click.value$</link>
            </drilldown>
          </table>
        </panel>
      </row>
    </form>

I've configured the report to use the token via SRC=$ip$

However this does not work and the token is not passed to the report after entering it into the dashboard. Is it even possible to pass a token to a report?

vnravikumar · ‎02-09-2019

Hi @orion44

Try like

<form>
  <label>SampleDashboard</label>
  <fieldset submitButton="false">
    <input type="text" token="name_param">
      <label>Name</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|savedsearch testreport name="$name_param$"</query>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">/app/search/report?s=testreport</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

orion44 · ‎02-09-2019

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Syslog Report': Error while replacing variable name='ip'. Could not find variable in the argument map..

vnravikumar · ‎02-09-2019

In your case, >|savedsearch testreport ip="$name_param$"

orion44 · ‎02-12-2019

Still doesn't work.

My saved report defines the variable as SRC=ip

The dashboard captures and passes the variable like this:
<input type="text" token="ip" searchWhenChanged="true">
|savedsearch "Syslog Report" ip=$ip$

vnravikumar · ‎02-12-2019

Try with

|savedsearch "Syslog Report" ip="$ip$"

orion44 · ‎02-19-2019

Thanks, I appreciate the time you've spent to help me with this. Unfortunately that still doesn't work. I don't think it's possible to pass tokens to saved searches.

vnravikumar · ‎02-19-2019

Its possible. Try to execute the query in search bar with some ip address like and test
|savedsearch "Syslog Report" ip="192.168.56.1"

dmuraleetcs · ‎02-22-2019

its possible to pass the token through saved search, but token field name is the one you need to use it in your savedsearch report query.

if you want to exexute : |savedsearch "Syslog Report" token_SourceIPAddress="$ip$"
your saved search should be like,

index=someindex src_ip_field=$token_SourceIPAddress$

gurlest · ‎06-25-2019

Seems like the long way around - but it works like a charm!

woodcock · ‎02-08-2019

You can do this with the | savedsearch command which allows you to pass tokens to it:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

jaxjohnny2000 · ‎10-28-2019

This seems to also imply we cannot schedule the report. If there is a variable in the report, then the report will not know what to do with it, no?

woodcock · ‎10-28-2019

Correct; one or the other.

jaxjohnny2000 · ‎10-29-2019

Thank you. I clicked the vote. 🙂

Do you know how to place the report last run date/time on the dashboard? Since the data is essentially static, and only as good as the last run. I would like to place the last run date so it's "Effective as of..."

How to pass token from dashboard to a report

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk