Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Given variable as value of field and not token

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:04 AM

I have such a search and it works fine but not in Dashboard!

 

 

 

 

index=unis | search *sarch* | eval name = coalesce(C_Name, PersonName) | eval "DoorName"=if(sourcetype=="ARX:db", $Door$,$DoorName$)

 

 

 


when I use this is in a dashboard it looks for Door and DoorName as tokens while they are values of those fields what should I do to make it work in dashboard studio

error I get :

Set token value to render visualization

  • $Door$
  • $DoorName$

edit: if I remove all $  it still works same as in search but still not working in dashboard (without any error) it returns result but DoorName field will be empty

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 02:34 AM

Hi @woodman2 ,

at first, don't use the search command after the main search, because you have a slower search.

then, what are $Door$ and $Doorname$?

in Splunk they are tokens defined in a dashboard.

If you have a variable or a field with this name it cannot run in a search.

Ciao.

Giuseppe

0 Karma
Reply

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:49 AM

Door and Doorname are field name that exist in my search result they have values and my search works fine with them unless I use them in a dashboard because it counts them as tokens and not taking their values from my results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 02:53 AM

Hi @woodman2 ,

as I said, dollar char at the borders of a word is the way in Splunk to identify tokens, so you cannot use this format for your fields.

you mast modify your searches and you data structure.

Ciao.

Giuseppe

0 Karma
Reply

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:59 AM

if it's wrong ... so how it works in search? my result are correct until I use my search in dashboard

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 09:03 AM

Hi @woodman2 ,

if you have a field whose name begins and ends with $, the search works because it finds this field, but in the Splunk dashboard it interprets the formalism not as a field, but as a token that has not been passed and therefore remains hanging.

As I said: you cannot use this format for your fields.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...