Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the token used in secondary search fails?

wilsonds
New Member
‎02-05-2020 01:11 PM

I have a saved search in which I successfully pass and use a token from a dashboard to drive it. I then added a second token to use in a secondary search and this always fails. I have a dashboard panel that does the following:

|savedsearch "Locations - Super Query" source_region=blue@bimlocs-p-ew1
| eval categoryIn = case("$category$"="ALL", "", 1=1, "$category$")
| search category=categoryIn
| table agent, category, categoryIn, containerId, line.ul-operation, line.ul-log-data.http_response_code, oxygenId, _time, line.ul-log-data.http_url, source*

If I remove the secondary search using the eval parameter from the token it works and the token string correctly appears in the table results. The strings are identical in the results. I don't understand what is wrong with the secondary search. I've tried = and other approaches for the string comparison which works everywhere else, but always fails in my secondary search. I must be missing something obvious as to why.

Any help is appreciated.

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 02:12 PM 
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wilsonds
New Member
‎02-20-2020 10:12 AM

Thank you.
Although I believe the above answer is correct, I had issues using an * in the where clause. I did try | where like(category, categoryIn) but the wildcard failed. Since category isn't part of the logged data, I had to create an eval field in each query of my multisearch. Once my results had a category value, this allowed me to use a secondary search of | search category=$category$ using the token which supports wildcards.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-20-2020 12:23 PM 
| where category="$category$"

* is string, need ""

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 02:12 PM 
| search category=categoryIn

→

| where category==categoryIn

search can not compare fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...