Hi,
I'm preparing for the certification exam and i would appreciate the answer with examples.
Thank you
Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.
In a search, token name syntax uses $...$
delimiters. For example, if you define a form input token as field_tok
, you can specify the token in a search as $field_tok$
. Here is an example.
<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>
Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$
This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
The following code snippet uses the |s
filter to place quotation marks around the value returned from a token:
<search>
<query>
index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
</query>
</search>
If the value of sourcetype_tok
is access_combined, it builds the following search string:
index=_internal sourcetype="access_combined" | timechart count by sourcetype
Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters
Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.
In a search, token name syntax uses $...$
delimiters. For example, if you define a form input token as field_tok
, you can specify the token in a search as $field_tok$
. Here is an example.
<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>
Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$
This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
The following code snippet uses the |s
filter to place quotation marks around the value returned from a token:
<search>
<query>
index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
</query>
</search>
If the value of sourcetype_tok
is access_combined, it builds the following search string:
index=_internal sourcetype="access_combined" | timechart count by sourcetype
Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters
@askd91
Kindly accept the answer if it helped you, so others can refer it.