topic Re: Inputlookup, Return command <$Field> and <Field> confusion with Dashboard Implementation in Splunk Search

Inputlookup, Return command <$Field> and confusion with Dashboard Implementation?

SubtotalAMG — Fri, 09 Jun 2023 13:35:58 GMT

Hey All,

So I'm relatively new to Splunk. I have a csv file that has multiple computers and I've created a dashboard trying to get reports based on the parameters the user chooses. The search by itself is fine and is this:

but when I start placing that search in a dashboard with user inputs it looks like this:

Once implemented I get a "Search is wating for input..." even after selecting an input and clicking the submit button.

But I found the solution for the dashboard is:

So if you noticed the difference it's the <$field> with the return command. I don't understand the difference between <$field> and <field>.
I've searched everywhere and the documentation on it still confuses me, even posts from this community forum. Why does it matter when it comes into the dashboard?
But when I use either format ( <$field> and <field>) for normal searching it doesn't have a problem and actually spits back the exact same results between the two. Which according to the documentation and from research that's not even supposed to happen. But it throws a fit when I place it into the dashboard. Can someone ELI5?

Some Sources that I've used and don't make much sense to me:

https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/SearchReference/Return

Re: Inputlookup, Return command <$Field> and confusion with Dashboard Implementation

ITWhisperer — Thu, 08 Jun 2023 04:40:33 GMT

Tokens (I presume Type_of_deployment is a token set by some input on your dashboard) are delimited by dollar signs and the search will wait for the input for the token to be completed. The search is probably waiting for a token called "IIS_for_XServers cs_uri_stem=" (which doesn't exist) - try doubling up the dollars for the variables

Re: Inputlookup, Return command <$Field> and confusion with Dashboard Implementation

yuanliu — Thu, 08 Jun 2023 05:01:06 GMT

I honestly have never encountered use of <$field> in SPL because SPL generally uses bare string for field name, and <$token$> for token name. If return is not the only command that uses this syntax, it must be among an extreme few. And as you just experience, using <$field> notation does more harm than good.

So, why does the following give you "waiting for input?"

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

If you are a compiler and scan the command, you'll see the following potential tokens in need of population:

$Type_of_deployment$
$IIS_Server ] OR
([| inputlookup FileName.csv |$
$IIS_for_XServers cs_uri_stem=$
$Span_Timechart$

You may have $Type_of_deployment$ and $Span_Timechart$ defined in your dashboard input, but I am sure not the others. Hence "waiting for input."

You can report this as a Simple XML bug. There may be some strategies for the scanner to tokenize $IIS_Server within that subsearch as an alternative format for return command. But in practice, it is easier to just forget that return command has an alternative format for field name, and stick to using bare word. The documentation clearly says that there is no semantic difference.

Re: Inputlookup, Return command <$Field> and confusion with Dashboard Implementation

SubtotalAMG — Thu, 08 Jun 2023 22:56:02 GMT

You're alternative solution worked thank you!

Re: Inputlookup, Return command <$Field> and confusion with Dashboard Implementation

SubtotalAMG — Thu, 08 Jun 2023 22:57:07 GMT

Compiler view helped me understand the problem and the alternative solution worked as well thank you!