- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to set a token from a base search in my da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
I want to display an image based on the result of a search. My dashboard has a "base search" which is used in multiple visualizations on the dashboard:
<search id="BaseSearch">
<query>
.... | stats last(_time) as latest BY current_observation.display_location.city current_observation.dewpoint_c current_observation.feelslike_c current_observation.icon_url current_observation.image.url current_observation.weather
</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
<finalized>
<set token="tok_wimg">$result.current_observation.icon_url$</set>
</finalized>
</search>
.... and an html panel:
<html>
$tok_wimg$
</html>
When executing the dashboard, I see that the html panel shows:
$result.current_observation.icon_url$
but not the content, so I guess that:
a) setting the token does not work like this?
or
b) I need to find a way to render the html panel when the search has finished?
Do you have any suggestions?
thanks
steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Steve,
You just need to include a condition for matching and set the token. for eg: below is a working example
<dashboard>
<label>TEST</label>
<row>
<panel>
<table>
<search>
<query>index=* |stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<finalized >
<condition match=" 'job.resultCount' != 0">
<set token="tok_wimg">$result.sourcetype$</set>
</condition>
<condition>
<set token="tok_wimg">No result found</set>
</condition>
</finalized >
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg$</h1>
</html>
</panel>
</row>
</dashboard>
The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.
See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Steve,
You just need to include a condition for matching and set the token. for eg: below is a working example
<dashboard>
<label>TEST</label>
<row>
<panel>
<table>
<search>
<query>index=* |stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<finalized >
<condition match=" 'job.resultCount' != 0">
<set token="tok_wimg">$result.sourcetype$</set>
</condition>
<condition>
<set token="tok_wimg">No result found</set>
</condition>
</finalized >
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg$</h1>
</html>
</panel>
</row>
</dashboard>
The html panel will display the token name just during the execution time since you are setting the token on search finalization. If you do not want to display at all, just hide the panel until search is finished using the tokens.
See here for details
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/EventHandlerReference#Search_event_handlers
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does anybody consider this a valid answer? The question specifically asks says from a base search. There is no base search in this answer. What am I missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a different method when its on base search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is great, thanks a bunch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU! I was trying so hard just to wrap text for a SingleElement and messing with so much stuff... this was so much easier. Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi renjith.nair,
your example works. thanks!
thanks
steve
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
