Dashboards & Visualizations

Why does the token used in secondary search fails?

wilsonds
Loves-to-Learn Lots

I have a saved search in which I successfully pass and use a token from a dashboard to drive it. I then added a second token to use in a secondary search and this always fails. I have a dashboard panel that does the following:

|savedsearch "Locations - Super Query" source_region=blue@bimlocs-p-ew1
| eval categoryIn = case("$category$"="ALL", "
", 1=1, "$category$")
| search category=categoryIn
| table agent, category, categoryIn, containerId, line.ul-operation, line.ul-log-data.http_response_code, oxygenId, _time, line.ul-log-data.http_url, source*

If I remove the secondary search using the eval parameter from the token it works and the token string correctly appears in the table results. The strings are identical in the results. I don't understand what is wrong with the secondary search. I've tried = and other approaches for the string comparison which works everywhere else, but always fails in my secondary search. I must be missing something obvious as to why.

Any help is appreciated.

alt text

Tags (2)
0 Karma
1 Solution

to4kawa
Ultra Champion
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

View solution in original post

0 Karma

wilsonds
Loves-to-Learn Lots

Thank you.
Although I believe the above answer is correct, I had issues using an * in the where clause. I did try | where like(category, categoryIn) but the wildcard failed. Since category isn't part of the logged data, I had to create an eval field in each query of my multisearch. Once my results had a category value, this allowed me to use a secondary search of | search category=$category$ using the token which supports wildcards.

0 Karma

to4kawa
Ultra Champion
| where category="$category$"

* is string, need ""

0 Karma

to4kawa
Ultra Champion
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...