Dashboards & Visualizations

How and when to use $abc$ to tell Splunk that abc is a field name?

HeinzWaescher
Motivator

Somewhere I read about using $abc$, to tell Splunk that abc is a fieldname?
I can't find explanations in the docs on when and how it can be used. Can someone provide a link regarding this topic?

Cheers
Heinz

0 Karma

Sebastian2
Path Finder

Are macros what you are looking for?

macros.conf

[my_macro(2)]
args = arg1, arg2
definition = search index=$arg2$ sourcetype=$arg$ ...

Since you can call macros in macros this may look as if $abc$ was used as some kind of fieldname.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros

0 Karma

gyarici
Path Finder

Hi Heinz,

If you want to add any input on your dashboard(drop-down menu, check-box,multi select,etc...) , there is a section called "token".

Let's you insert there as abc into token section means you can use this variable as $abc$ in your splunk serach query. Once this inout selected by user(example dropdown menu), your search directly take this variable fr searching.

There is also detail information from the link below.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens

Thanks

Gokhan

0 Karma

HeinzWaescher
Motivator

Hi,

I know the usage for form inputs in dashboards. But I think it can be used in a saved search as well, here is an example with a field called clicks/user

These two options do not work

| fieldformat clicks/user=tostring(clicks/user, "commas")

| fieldformat clicks/user=tostring("clicks/user", "commas")

But when I use
| fieldformat clicks/user=tostring($clicks/user*$*, "commas")

it works fine

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

@HeinzWaescher, in this scenario, it operates as the ' single quotes needed to escape punctuation characters or non [a-z] stuff inside of a field name. So, the normal version of your search would be:

| fieldformat clicks/user=tostring('clicks/user', "commas")

Within an eval statement, double quotes " are always used to specify string literals whereas the single quote ' is used to help specify fields. I would suggest keeping your field names free of punctuation and strange characters, e.g.

| eval clicks_per_user = clicks / user
| fieldformat clicks_per_user = tostring(clicks_per_user, "commas")

HeinzWaescher
Motivator

Thanks a lot!

0 Karma

sundareshr
Legend

You can define and use Token in dashbaords. Is that what you're thinking of? What are you trying to do?

http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...