I have a dashboard with 2 panels.
1 st panel is a bar chart whose data will populate based on 2nd panel (drilldown)
When I select data on 2nd panel with stats, graph is getting filtered in 1st panel. Problem is when my 2nd panel data consists of regular expression like [[A-ZA-Z '\-\.\xC0-], my token in not able to hold this kind of data and is not showing results in 1st panel.
Please help to fix this issue.
Panel 1 Query -
index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status
Panel 2 Query -
index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) $requesttype$ $Account$ $status$|eventstats sum(RECORD_COUNT) as TOTAL_COUNT by REQUEST ,ACCOUNT,STATUS_DETAIL, STATUS
| stats count by ACCOUNT, REQUEST,STATUS,STATUS_DETAIL, TOTAL_COUNT
| fields - count
STATUS_DETAIL is generating regex which is generated in realtime.
Please help.
Try telling Splunk to put quotation marks around the token values by using the |s filter.
index=production sourcetype="db" (APPLICATIONTYPE="A" OR APPLICATIONTYPE="B" OR APPLICATIONTYPE="C" ) (ACCOUNT="$ACCOUNT$", REQUEST="$REQUEST$",STATUS_DETAIL="$STATUS_DETAIL|s$",STATUS_TYPE="$STATUS$")
| eventstats sum(RECORD_COUNT) as TOTAL_COUNT by ACCOUNT, REQUEST,STATUS_DETAIL,STATUS
| eval account_request_status = ACCOUNT . ":::" . REQUEST . ":::" . STATUS
| timechart span=1m limit=0 sum(RECORD_COUNT) by account_request_status
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/tokens#Syntax_to_consume_tokens
Tried, but results in below error -
Unknown search command '0'.
I tried to add |n which is working in few regex like 'RESPECT TO PATTERN '[0-9]+''
Please let me know if I can add like-
|s|n$
I am not sure about this as it generates a huge realtime data and I have just access to Splunk UI for creating dashboards.
Tried like this, but no luck
STATUS_DETAIL|s|n$