Re: Panel with regular expression data is not allo...

skodak · ‎07-27-2020

I have a dashboard with 2 panels.

1 st panel is a bar chart whose data will populate based on 2nd panel (drilldown)

When I select data on 2nd panel with stats, graph is getting filtered in 1st panel. Problem is when my 2nd panel data consists of regular expression like [[A-ZA-Z '\-\.\xC0-], my token in not able to hold this kind of data and is not showing results in 1st panel.

Please help to fix this issue.

richgalloway · ‎07-28-2020

Please share the searches for the 2 panels.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-29-2020

Panel 1 Query -

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status

Panel 2 Query -

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) $requesttype$ $Account$ $status$|eventstats sum(RECORD_COUNT) as TOTAL_COUNT by REQUEST ,ACCOUNT,STATUS_DETAIL, STATUS
| stats count by ACCOUNT, REQUEST,STATUS,STATUS_DETAIL, TOTAL_COUNT
| fields - count

STATUS_DETAIL is generating regex which is generated in realtime.

Please help.

richgalloway · ‎07-29-2020

Try telling Splunk to put quotation marks around the token values by using the |s filter.

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL|s$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status

See https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/tokens#Syntax_to_consume_tokens

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

Tried, but results in below error -

Unknown search command '0'.

richgalloway · ‎07-30-2020

Splunk is not liking something in the field. One or more characters may need to be escaped.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

I tried to add |n which is working in few regex like 'RESPECT TO PATTERN '[0-9]+''

Please let me know if I can add like-

|s|n$

richgalloway · ‎07-30-2020

Pretty sure that won't work, but give it a try.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

Yeah not working @richgalloway

Any other suggestions please.

richgalloway · ‎07-30-2020

Let me back up a little. Why does STATUS_DETAIL contain a regular expression and does the index being searched contain that same string?

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

I am not sure about this as it generates a huge realtime data and I have just access to Splunk UI for creating dashboards.

skodak · ‎07-30-2020

Tried like this, but no luck

STATUS_DETAIL|s|n$

Panel with regular expression data is not allowing to capture data for drilldown

drilldown

panel

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Are you a member of the Splunk Community?

Panel with regular expression data is not allowing to capture data for drilldown

drilldown

panel

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2