Solved: Re: Why is a token to filter a saved search not wo...

vtsguerrero · ‎04-13-2015

Hello guys, sup?

I've been facin' this problem for a little while. I have a report ( saved search ) which gives me three status=green,yellow and red.
And I have two filters in my dashboard:

Filter One - Status = $status$ [ radio button ]
Filter Two - Channel = $channel$ [ multiple input text ]

And down under these, some graphics. ( timecharts )

The problem is, the second filter, the text input should show channels based on the first input, the radio - status.
The radio input holds static choice for radio ( green, yellow and red ) with $status$ as a token
And the text input query is the following:

| savedsearch report_resumo | WHERE Status=$status$ | stats by Channel_Name

If I use just status filter, my query and graphics both work based on the saved search, but If I try to filter channels per status ( as they're dynamic fields from the saved search - report ) they're not showing any results at all.
Whats the best way to solve this?

Thanks in advance!

dolivasoh · ‎04-13-2015

I may be incorrect but the Boolean expression in the where clause should look like == "$status$" . Or you could try changing "where" to "search" .

I'd also recommend experimenting with placing actual search language in tokens instead of just field values. You may find a few neat tricks down that route.

View solution in original post

dolivasoh · ‎04-13-2015

I may be incorrect but the Boolean expression in the where clause should look like == "$status$" . Or you could try changing "where" to "search" .

I'd also recommend experimenting with placing actual search language in tokens instead of just field values. You may find a few neat tricks down that route.

dfoster_splunk · ‎04-14-2015

If you use $status|s$ then it will automatically add quotes and escape anything else weird inside the token, such as backslashes. I don't think backslashes apply here, but it is a general technique to be aware of.

dolivasoh · ‎04-14-2015

Can you explain this more? At first I thought it was some kind of typo but now it looks like you're piping to a string? I wasn't aware of these kinds of token... commands is the word for it?

dolivasoh · ‎04-14-2015

Found it.

Token filters

Token filters ensure that you correctly capture the value of a token.
Filter Description
Wrap value in quotes
$token_name|s$ Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format
$token_name|h$ Ensures that the token value is valid for HTML formatting.

Token values for the element use this filter by default.
URL format
$token_name|u$ Ensures that the token value is valid to use as a URL.

Token values for the element use this filter by default.

vtsguerrero · ‎04-14-2015

Worked perfectly! Thanks @dolivasoh !
Seems like the problem really was using tokens $$ with the double quotes "" .
I was acttually able to filter the report with the WHERE command, thanks a lot!

dolivasoh · ‎04-14-2015

Excellent work. I'm always on the fence about using quotes. I try to only use them for values with spaces.

Why is a token to filter a saved search not working in a report?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk