How do I added a token to the query of a dashboard in Splunk?

Question

I recreated the dashboard using the report query and have the search returning all of the table results. I have an input for the reference number as a text box. The token name is: purchCostReferenceToken

I want to limit the table results based on this token. This is the query:

<form>
  <label>Thru Train Dashboard</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="purchCostReferenceToken" searchWhenChanged="true">
      <label>Enter a TMS Reference Number to Filter Table</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Thru Train Data</title>
      <table>
        <search>
          <query>index=... "&lt;billingMethod&gt;RULE&lt;/billingMethod&gt;" "createMessage MsgSource" | xmlkv | rex max_match=0 "\&lt;purchasedCostTripSegment\&gt;(?P&lt;segment&gt;[^\&lt;]+)" |eval Segments =  mvrange(1,mvcount(mvindex(segment, 0, 2))+1,1) | rex max_match=0 "\&lt;carrier\&gt;(?P&lt;Carriers&gt;[^\&lt;]+)" | rex max_match=0 "\&lt;billingMethod\&gt;(?P&lt;BillingMethod&gt;[^\&lt;]+)" | rex max_match=0 "&lt;purchasedCostTripSegment&gt;[\s\S]*?&lt;origin&gt;\s*&lt;ns2:numberCode&gt;(?P&lt;Origin&gt;\d+)"  | rex max_match=0 "&lt;purchasedCostTripSegment&gt;[\s\S]*?&lt;destination&gt;\s*&lt;ns2:numberCode&gt;(?P&lt;Destination&gt;\d+)" | rex max_match=0 "&lt;purchasedCostTripSegment&gt;[\s\S]*?&lt;stopOff&gt;\s*&lt;ns2:stopOffLocation&gt;\s*&lt;ns2:numberCode&gt;(?P&lt;StopOffLocation&gt;\d+)" | eval Time =_time | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | sort Time</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Where do I add the token to limit the search? I tried adding this to the end of the query before the table command:

...   | eval Time =_time | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) purchCostReference=$purchCostReferenceToken$ | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | sort Time

I get an error... error in convert command: the argument purchCostReference- is invalid

I would like to add filters in several of the table columns. The purchCostReference value is an extracted field in the query using xmlkv

Answer 1

Technically, a token can be placed anywhere in a query, but the query has to be valid when the token is replaced with its value. convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) purchCostReference=4 is not valid SPL.

If the field referenced by the token is extracted automatically then it's usually best to put the token in the base search. That's not the case here.

You should use a search or where command to filter events based on the token value. Something like xmlkv | search purchCostReference=$purchCostReferenceToken$ xmlkv | search purchCostReference=$purchCostReferenceToken$ .