Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Given variable as value of field and not token

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:04 AM

I have such a search and it works fine but not in Dashboard!

 

 

 

 

index=unis | search *sarch* | eval name = coalesce(C_Name, PersonName) | eval "DoorName"=if(sourcetype=="ARX:db", $Door$,$DoorName$)

 

 

 


when I use this is in a dashboard it looks for Door and DoorName as tokens while they are values of those fields what should I do to make it work in dashboard studio

error I get :

Set token value to render visualization

  • $Door$
  • $DoorName$

edit: if I remove all $  it still works same as in search but still not working in dashboard (without any error) it returns result but DoorName field will be empty

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 02:34 AM

Hi @woodman2 ,

at first, don't use the search command after the main search, because you have a slower search.

then, what are $Door$ and $Doorname$?

in Splunk they are tokens defined in a dashboard.

If you have a variable or a field with this name it cannot run in a search.

Ciao.

Giuseppe

0 Karma
Reply

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:49 AM

Door and Doorname are field name that exist in my search result they have values and my search works fine with them unless I use them in a dashboard because it counts them as tokens and not taking their values from my results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 02:53 AM

Hi @woodman2 ,

as I said, dollar char at the borders of a word is the way in Splunk to identify tokens, so you cannot use this format for your fields.

you mast modify your searches and you data structure.

Ciao.

Giuseppe

0 Karma
Reply

woodman2
Loves-to-Learn Everything
‎01-21-2025 02:59 AM

if it's wrong ... so how it works in search? my result are correct until I use my search in dashboard

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 09:03 AM

Hi @woodman2 ,

if you have a field whose name begins and ends with $, the search works because it finds this field, but in the Splunk dashboard it interprets the formalism not as a field, but as a token that has not been passed and therefore remains hanging.

As I said: you cannot use this format for your fields.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...