Dashboards & Visualizations

Explain how tokens work and define types of token filters?

askd91
Engager

Hi,
I'm preparing for the certification exam and i would appreciate the answer with examples.

Thank you

0 Karma
1 Solution

jawaharas
Motivator

Tokens

Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.

In a search, token name syntax uses $...$ delimiters. For example, if you define a form input token as field_tok, you can specify the token in a search as $field_tok$. Here is an example.

<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>

Token filters

Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$

This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

The following code snippet uses the |s filter to place quotation marks around the value returned from a token:

<search>
  <query>
    index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
   </query>
</search>

If the value of sourcetype_tok is access_combined, it builds the following search string:

index=_internal sourcetype="access_combined" | timechart count by sourcetype

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters

View solution in original post

jawaharas
Motivator

Tokens

Tokens capture and pass values in a dashboard. Token values can come from various sources, including form inputs and predefined token values for visualizations. Searches can access token values.

In a search, token name syntax uses $...$ delimiters. For example, if you define a form input token as field_tok, you can specify the token in a search as $field_tok$. Here is an example.

<search>
index=_internal source=*splunkd.log | stats count by $field_tok$
</search>

Token filters

Token filters ensure that you correctly capture the value of a token.
Example: Wrap value in quotes - $token_name|s$

This token filter ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.

The following code snippet uses the |s filter to place quotation marks around the value returned from a token:

<search>
  <query>
    index=_internal sourcetype=$sourcetype_tok|s$ | timechart count by sourcetype
   </query>
</search>

If the value of sourcetype_tok is access_combined, it builds the following search string:

index=_internal sourcetype="access_combined" | timechart count by sourcetype

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/tokens#Token_filters

jawaharas
Motivator

@askd91
Kindly accept the answer if it helped you, so others can refer it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...