Dashboards & Visualizations

Splunk dashboard drop-down menu has spaces in the values, causing the dashboard to not be able to retrieve data.

Maximussss
Explorer

I'm trying to create own Splunk (dashboard) queries for Okta data analysis. I'm having issues because a specific field has a space in the value and it's causing the dashboard to not be able to retrieve data (when I know there is data). 3 other drop-down menus work fine (there is no spaces in the values there). My main suspicion that the reason of failure is because of that spaces. 
I'm trying to transform the values and remove spaces, in the hope that would help. 


I Found some recommendations online and examples of functions, but I'm not very experienced with Splunk, can anyone explain step by step how I could solve that issue? If the name of my field with issues is "actor.displayName"  (it has multiple spaces in the values).

Examples found online:
1) | rex mode=sed field=A "s/ //g"

2) | eval nospace=trim(A)

3)| rex field=field1 "(?<newfield>\S+)"

4)|eval NewField=trim(OldField)

Has anyone encountered this issue before? Thanks for help!

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Rather than trying to remove the spaces, why not consider wrapping the value in quotes where it is used

$token_name|s$

https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Token_filters 

View solution in original post

Maximussss
Explorer

@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked.

It took me a while to understand that I need to wrap it not in the main query but in my additional part when I'm trying to pass the token to other components.

0 Karma

Maximussss
Explorer

This name already comes from OKTA logs with dot, unfortunately I wont be able to change it. Need to work with what I have. Thank you for help! A appreciate it!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The name of the field might come from the log but the name of the token doesn't have to match, if you can edit the dashboard, you can change the name of the token.

Maximussss
Explorer

Thank you for your advice, in this case if my token name is for example "actor.displayName"

in this case in the main query in need to wrap it like this? :  $"actor.displayName"|s$

Sorry for asking probably very basic question...


0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
$actor.displayName|s$

Having said that, you should probably avoid using dot in names where possible, so perhaps name your token as actorDisplayName and use $actorDisplayName|s$

ITWhisperer
SplunkTrust
SplunkTrust

Rather than trying to remove the spaces, why not consider wrapping the value in quotes where it is used

$token_name|s$

https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Token_filters 

Maximussss
Explorer

.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...