Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Dashboard/ Report Input fields and static options

NaorPenso
Explorer
‎06-30-2014 10:48 PM

Hi Guys,

Quick questions regarding the adding of input fields to reports and dashboards (on Splunk 6.1.1).
When i add an input field (all except time) I define the search that will populate the fields.
everything works great but if the populated field has more than one word (i.e. "3 word field") than i need to use quotation marks in the prefix and suffix of the field. that is also great but then i am not able to use a static field for all as it requires a * and with the prefix/suffix it is looking for "*" and not *

Is there any resolution for that issue?
Thanks in advance,
Naor

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-01-2014 12:36 AM

In this case... the token is a field filter (to the left of the first pipe), or it is prefixed by |search

The prefix is:

yourfield="

the suffix is:
"

Static options are:

Name: ALL

value: *

Your search is:

index=whatever $token_here$ |stats count by blah
which becomes either:

index=whatever yourfield="The Value Here" |stats count by blah

OR
index=whatever yourfield="*" |stats count by blah

OR
index=whatever |search yourfield="The Value Here" |stats count by blah


OR
index=whatever |search yourfield="*" |stats count by blah


what you probably did... was just put the quotes in prefix/suffix... but the prefix containing the field will help it all make sense... (I did that the first time too... )

To see the effect, if the panel doesn't show data... click on the little magnifying glass on the lower left hand corner of the panel (you have to hover over it for it to appear). That will run the panel in search and you'll see how the token resolved. That helps a lot. At least that helped me. 😉

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-03-2014 10:40 AM

Please explain what you think the difference between filed="" and field= is in this case?
Because I see no behavioral difference... but maybe you can enlighten?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

NaorPenso
Explorer
‎07-03-2014 03:51 AM

Hi rsennett,
Unfortunately i know how it's resolved in the search but as you said it is resolved like this:
index=whatever yourfield="*" |stats count by blah
I need a way to be able to search for * for that field without quotes, but still have the ability to use multiple words in that field (i.e. "CASE 123123")

Any advice?
thanks in advance,
Naor Penso.

P.S
I have another open issue that we talked about and if you have the time to have another look it would be great 😄

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...