Quick questions regarding the adding of input fields to reports and dashboards (on Splunk 6.1.1).
When i add an input field (all except time) I define the search that will populate the fields.
everything works great but if the populated field has more than one word (i.e. "3 word field") than i need to use quotation marks in the prefix and suffix of the field. that is also great but then i am not able to use a static field for all as it requires a * and with the prefix/suffix it is looking for "*" and not *
Is there any resolution for that issue?
Thanks in advance,
In this case... the token is a field filter (to the left of the first pipe), or it is prefixed by |search
The prefix is:
the suffix is: "
Static options are:
Your search is:
index=whatever $token_here$ |stats count by blah
which becomes either:
index=whatever yourfield="The Value Here" |stats count by blah
OR index=whatever yourfield="*" |stats count by blah
OR index=whatever |search yourfield="The Value Here" |stats count by blah
OR index=whatever |search yourfield="*" |stats count by blah
what you probably did... was just put the quotes in prefix/suffix... but the prefix containing the field will help it all make sense... (I did that the first time too... )
To see the effect, if the panel doesn't show data... click on the little magnifying glass on the lower left hand corner of the panel (you have to hover over it for it to appear). That will run the panel in search and you'll see how the token resolved. That helps a lot. At least that helped me. 😉
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Unfortunately i know how it's resolved in the search but as you said it is resolved like this:
index=whatever yourfield="*" |stats count by blah
I need a way to be able to search for * for that field without quotes, but still have the ability to use multiple words in that field (i.e. "CASE 123123")
thanks in advance,
I have another open issue that we talked about and if you have the time to have another look it would be great 😄