topic Re: How and when to use $abc$ to tell Splunk that abc is a field name? in Dashboards & Visualizations

How and when to use $abc$ to tell Splunk that abc is a field name?

HeinzWaescher — Mon, 16 Nov 2015 13:36:21 GMT

Somewhere I read about using $abc$ , to tell Splunk that abc is a fieldname?
I can't find explanations in the docs on when and how it can be used. Can someone provide a link regarding this topic?

Cheers
Heinz

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

sundareshr — Mon, 16 Nov 2015 13:50:23 GMT

You can define and use Token in dashbaords. Is that what you're thinking of? What are you trying to do?

http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

gyarici — Mon, 16 Nov 2015 13:50:41 GMT

Hi Heinz,

If you want to add any input on your dashboard(drop-down menu, check-box,multi select,etc...) , there is a section called "token".

Let's you insert there as abc into token section means you can use this variable as $abc$ in your splunk serach query. Once this inout selected by user(example dropdown menu), your search directly take this variable fr searching.

There is also detail information from the link below.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens

Thanks

Gokhan

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

HeinzWaescher — Tue, 29 Sep 2020 07:52:34 GMT

Hi,

I know the usage for form inputs in dashboards. But I think it can be used in a saved search as well, here is an example with a field called clicks/user

These two options do not work

| fieldformat clicks/user=tostring(clicks/user, "commas")

| fieldformat clicks/user=tostring("clicks/user", "commas")

But when I use
| fieldformat clicks/user=tostring($clicks/user*$*, "commas")

it works fine

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

aljohnson_splun — Mon, 16 Nov 2015 17:05:37 GMT

@HeinzWaescher, in this scenario, it operates as the ' single quotes needed to escape punctuation characters or non [a-z] stuff inside of a field name. So, the normal version of your search would be:

| fieldformat clicks/user=tostring('clicks/user', "commas")

Within an eval statement, double quotes " are always used to specify string literals whereas the single quote ' is used to help specify fields. I would suggest keeping your field names free of punctuation and strange characters, e.g.

| eval clicks_per_user = clicks / user
| fieldformat clicks_per_user = tostring(clicks_per_user, "commas")

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

HeinzWaescher — Wed, 18 Nov 2015 15:46:27 GMT

Thanks a lot!

Re: How and when to use $abc$ to tell Splunk that abc is a field name?

Sebastian2 — Wed, 18 Nov 2015 15:59:48 GMT

Are macros what you are looking for?

macros.conf

[my_macro(2)]
args = arg1, arg2
definition = search index=$arg2$ sourcetype=$arg$ ...

Since you can call macros in macros this may look as if $abc$ was used as some kind of fieldname.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros