Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I put my search string in a dashboard panel with a colon in the field name?

mjm295
Path Finder
‎08-20-2015 03:08 PM

Hi Guys

I have a search string which quotes field names with $ and works great. However, when I put that into a panel on a dashboard, I get the "waiting for input" message on the panel.

Search string:

index=aws-bill user:showback!=""  | eval showback=case(match($user:showback$, "IT Enterprise Services:*"), "INFRA", match($user:showback$, "IT:*"), "OtherIT", match($user:showback$, "Websites:*"), "WEBSITES", 1=1, "OLDDATA") | timechart sum(BlendedCost) as $ by showback useother=f limit=10

If I remove the $ quotes, eval complains about malformed expression due to the colon in the name.

So what am I doing wrong?

Mark

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2015 03:57 PM

Consider renaming the field to something without a colon in it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2015 03:57 PM

Consider renaming the field to something without a colon in it.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mjm295
Path Finder
‎08-20-2015 06:20 PM

Thanks Rich - that's working now. never come across "rename" before.

0 Karma
Reply
Solved! Jump to solution

mjm295
Path Finder
‎08-20-2015 05:06 PM

Thanks for the suggestion but how would I do that? I've tried:

index=aws-bill user:showback!=""  | rex field=_raw mode=sed "s/\://g" | eval showback=case(match(usershowback, "IT Enterprise Services:*"), "INFRA", match(usershowback, "IT:*"), "JUSTIT", match(usershowback, "Websites:*"), "WEBSITES", 1=1, "OLDDATA") | timechart sum(BlendedCost) as $ by showback useother=f limit=10

The colon is gone in the raw data but the eval is not picking it up.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2015 05:53 PM

Try this

index=aws-bill user:showback!=""  | rename "user:showback" as user_showback | eval showback=case(match($user_showback$, "IT Enterprise Services:*"), "INFRA", match($user_showback$, "IT:*"), "OtherIT", match($user_showback$, "Websites:*"), "WEBSITES", 1=1, "OLDDATA") | timechart sum(BlendedCost) as $ by showback useother=f limit=10
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...