Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the token used in secondary search fails?

wilsonds
Loves-to-Learn Lots
‎02-05-2020 01:11 PM

I have a saved search in which I successfully pass and use a token from a dashboard to drive it. I then added a second token to use in a secondary search and this always fails. I have a dashboard panel that does the following:

|savedsearch "Locations - Super Query" source_region=blue@bimlocs-p-ew1
| eval categoryIn = case("$category$"="ALL", "", 1=1, "$category$")
| search category=categoryIn
| table agent, category, categoryIn, containerId, line.ul-operation, line.ul-log-data.http_response_code, oxygenId, _time, line.ul-log-data.http_url, source*

If I remove the secondary search using the eval parameter from the token it works and the token string correctly appears in the table results. The strings are identical in the results. I don't understand what is wrong with the secondary search. I've tried = and other approaches for the string comparison which works everywhere else, but always fails in my secondary search. I must be missing something obvious as to why.

Any help is appreciated.

alt text

Tags (2)
Preview file
35 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 02:12 PM 
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wilsonds
Loves-to-Learn Lots
‎02-20-2020 10:12 AM

Thank you.
Although I believe the above answer is correct, I had issues using an * in the where clause. I did try | where like(category, categoryIn) but the wildcard failed. Since category isn't part of the logged data, I had to create an eval field in each query of my multisearch. Once my results had a category value, this allowed me to use a secondary search of | search category=$category$ using the token which supports wildcards.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-20-2020 12:23 PM 
| where category="$category$"

* is string, need ""

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 02:12 PM 
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...