I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrieve data (when I know there is data). 3 other drop-down menus work fine (there is no spaces in the values there). My main suspicion that the reason of failure is because of that spaces.
I'm trying to transform the values and remove spaces, in the hope that would help.
I Found some recommendations online and examples of functions, but I'm not very experienced with Splunk, can anyone explain step by step how I could solve that issue? If the name of my field with issues is "actor.displayName" (it has multiple spaces in the values).
Examples found online:
1) | rex mode=sed field=A "s/ //g"
2) | eval nospace=trim(A)
3)| rex field=field1 "(?<newfield>\S+)"
4)|eval NewField=trim(OldField)
Has anyone encountered this issue before? Thanks for help!
Rather than trying to remove the spaces, why not consider wrapping the value in quotes where it is used
$token_name|s$
https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Token_filters
@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked.
It took me a while to understand that I need to wrap it not in the main query but in my additional part when I'm trying to pass the token to other components.
This name already comes from OKTA logs with dot, unfortunately I wont be able to change it. Need to work with what I have. Thank you for help! A appreciate it!
The name of the field might come from the log but the name of the token doesn't have to match, if you can edit the dashboard, you can change the name of the token.
Thank you for your advice, in this case if my token name is for example "actor.displayName"
in this case in the main query in need to wrap it like this? : $"actor.displayName"|s$
Sorry for asking probably very basic question...
$actor.displayName|s$
Having said that, you should probably avoid using dot in names where possible, so perhaps name your token as actorDisplayName and use $actorDisplayName|s$
Rather than trying to remove the spaces, why not consider wrapping the value in quotes where it is used
$token_name|s$
https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Token_filters
.