- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How and when to use $abc$ to tell Splunk that ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How and when to use $abc$ to tell Splunk that abc is a field name?
Somewhere I read about using $abc$, to tell Splunk that abc is a fieldname?
I can't find explanations in the docs on when and how it can be used. Can someone provide a link regarding this topic?
Cheers
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are macros what you are looking for?
macros.conf
[my_macro(2)]
args = arg1, arg2
definition = search index=$arg2$ sourcetype=$arg$ ...
Since you can call macros in macros this may look as if $abc$ was used as some kind of fieldname.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usesearchmacros
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Heinz,
If you want to add any input on your dashboard(drop-down menu, check-box,multi select,etc...) , there is a section called "token".
Let's you insert there as abc into token section means you can use this variable as $abc$ in your splunk serach query. Once this inout selected by user(example dropdown menu), your search directly take this variable fr searching.
There is also detail information from the link below.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens
Thanks
Gokhan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I know the usage for form inputs in dashboards. But I think it can be used in a saved search as well, here is an example with a field called clicks/user
These two options do not work
| fieldformat clicks/user=tostring(clicks/user, "commas")
| fieldformat clicks/user=tostring("clicks/user", "commas")
But when I use
| fieldformat clicks/user=tostring($clicks/user*$*, "commas")
it works fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HeinzWaescher, in this scenario, it operates as the ' single quotes needed to escape punctuation characters or non [a-z] stuff inside of a field name. So, the normal version of your search would be:
| fieldformat clicks/user=tostring('clicks/user', "commas")
Within an eval statement, double quotes " are always used to specify string literals whereas the single quote ' is used to help specify fields. I would suggest keeping your field names free of punctuation and strange characters, e.g.
| eval clicks_per_user = clicks / user
| fieldformat clicks_per_user = tostring(clicks_per_user, "commas")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can define and use Token in dashbaords. Is that what you're thinking of? What are you trying to do?
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
