Re: Panel with regular expression data is not allo...

skodak · ‎07-27-2020

I have a dashboard with 2 panels.

1 st panel is a bar chart whose data will populate based on 2nd panel (drilldown)

When I select data on 2nd panel with stats, graph is getting filtered in 1st panel. Problem is when my 2nd panel data consists of regular expression like [[A-ZA-Z '\-\.\xC0-], my token in not able to hold this kind of data and is not showing results in 1st panel.

Please help to fix this issue.

richgalloway · ‎07-28-2020

Please share the searches for the 2 panels.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-29-2020

Panel 1 Query -

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status

Panel 2 Query -

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) $requesttype$ $Account$ $status$|eventstats sum(RECORD_COUNT) as TOTAL_COUNT by REQUEST ,ACCOUNT,STATUS_DETAIL, STATUS
| stats count by ACCOUNT, REQUEST,STATUS,STATUS_DETAIL, TOTAL_COUNT
| fields - count

STATUS_DETAIL is generating regex which is generated in realtime.

Please help.

richgalloway · ‎07-29-2020

Try telling Splunk to put quotation marks around the token values by using the |s filter.

index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL|s$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status

See https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/tokens#Syntax_to_consume_tokens

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

Tried, but results in below error -

Unknown search command '0'.

richgalloway · ‎07-30-2020

Splunk is not liking something in the field. One or more characters may need to be escaped.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

I tried to add |n which is working in few regex like 'RESPECT TO PATTERN '[0-9]+''

Please let me know if I can add like-

|s|n$

richgalloway · ‎07-30-2020

Pretty sure that won't work, but give it a try.

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

Yeah not working @richgalloway

Any other suggestions please.

richgalloway · ‎07-30-2020

Let me back up a little. Why does STATUS_DETAIL contain a regular expression and does the index being searched contain that same string?

---
If this reply helps you, Karma would be appreciated.

skodak · ‎07-30-2020

I am not sure about this as it generates a huge realtime data and I have just access to Splunk UI for creating dashboards.

skodak · ‎07-30-2020

Tried like this, but no luck

STATUS_DETAIL|s|n$

Panel with regular expression data is not allowing to capture data for drilldown

drilldown

panel

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Panel with regular expression data is not allowing to capture data for drilldown

drilldown

panel

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!