Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard not populating as they have $ symbol in some field values, is there another way?

power12
Communicator
‎02-21-2023 11:48 AM

Hello Splunkers

I have the following search.The search works fine when running it but when its saved as a panel in a dashboard it complains saying waiting for input  as some of field values  for state have $ in them("5-drained$") ...is there any other way to change the search to ignore it

 

index=abc
| chart latest(state_sinfo) as state by node 
| stats count by state
| eval {state}=count 
| fields - count
| replace allocated WITH "1-allocated" IN state
| replace "allocated*" WITH "1-allocated*" IN state
| replace "allocated$" WITH "1-allocated$" IN state
| replace "completing" WITH "1-completing" IN state
| replace "planned" WITH "1-planned" IN state
| replace idle WITH "2-idle" IN state
| replace "idle*" WITH "2-idle*" IN state
| replace maint WITH "3-maint" IN state
| replace reserved WITH "4-reserved" IN state 
| replace down WITH "5-down" IN state
| replace "down*" WITH "5-down*" IN state
| replace "down$" WITH "5-down$" IN state
| replace "drained*" WITH "5-drained*" IN state
| replace "drained$" WITH "5-drained$" IN state
| replace "drained" WITH "5-drained" IN state
| replace "draining" WITH "5-draining" IN state
| replace "draining@" WITH "5-draining@" IN state
| replace "reboot" WITH "5-reboot" IN state
| replace "reboot^" WITH "5-reboot^" IN state
| sort +state

 

 Thanks in Advance

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2023 01:19 PM

Double up your dollars

| replace "allocated$$" WITH "1-allocated$$" IN state
0 Karma
Reply

power12
Communicator
‎02-22-2023 10:34 AM

@ITWhisperer  I want it as 1-allocated$ ...is there a way...i dont want an additional $

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2023 03:02 PM

Have you tried it in your dashboard? The double dollar should get converted to a single dollar when it is executed.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...