Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Stop automatic formatting from HEX to INT in Splunk Dashboard Studio?

tudorex5
Explorer
‎08-23-2023 04:16 AM

Hello,

I am trying to make a table viz in my absolute dashboard studio dashboard. I have a query that has a field called "Failure_Code" that usually presents the hex values (0x18 or 0x12). When developing the query in the search app, the data gets printed in the table statistics as is (in 0x.... format) . That is how I would like it to be printed out in my dashboard.

As soon as I add the query into a table view in a dashboard, it automatically gets converted to int(24, 18...). I am not using any eval, stats or renaming on this field. I tried adding a formatting option on that column, noticed it's automatically set to "number" in the context stanza(formatting function), and modified it to "string" in the JSON source code but it didn't stop the formatting. 
I tried the tonumber(myField,"hex") solution but my field was turned to null, and also replacing hex with 16. I tried printf, nothing seems to work.

Thank you for the help!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2023 01:46 AM

Please try upgrading to the latest version of Splunk (it works on 9.1.0.2, but not on 8.2.2.1)

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 04:54 AM 
| eval myField=tostring(myField,"hex")
Reply
Solved! Jump to solution

tudorex5
Explorer
‎08-23-2023 07:43 AM

Thanks for the quick reply.

Unfortunately, using | eval Failure_Code=tostring(Failure_Code,"hex") turns the entire field to null values : 

tudorex5_0-1692801456075.png

Here it is, working in a normal search query, without the eval (exact same query, opened from the dashboard panel with the "Open in search" option):

tudorex5_1-1692801514142.png

 

And here is the result without the eval, in the dashboard table  : 

tudorex5_2-1692801578855.png

Added SS for clarification, in case my question was all over the place.

Can I use some type of sed/replace or something similar to add quotes to my failure_code or force it into a string value any other way? I'd rather just have it print out clean, like in the normal search, but dashboard studio seems to be doing some behind the scenes formatting that I don;t really get the hang of yet.

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 08:19 AM

Which version of Splunk are you using?

Reply
Solved! Jump to solution

tudorex5
Explorer
‎08-24-2023 11:09 PM

Enterprise 9.0.0.1 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2023 01:46 AM

Please try upgrading to the latest version of Splunk (it works on 9.1.0.2, but not on 8.2.2.1)

Reply
Solved! Jump to solution

tudorex5
Explorer
‎08-28-2023 12:39 AM

It's going to be a while until it's updated on my end, but I'll mark the answer and reply if it doesn't work, which I hope won't be the case 😅

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...