Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Inputlookup, Return command <$Field> and <Field> confusion with Dashboard Implementation?

SubtotalAMG
Loves-to-Learn Lots
‎06-07-2023 07:09 PM

Hey All, 

So I'm relatively new to Splunk. I have a csv file that has multiple computers and I've created a dashboard trying to get reports based on the parameters the user chooses. The search by itself is fine and is this:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv | search Type="Prod" | return host=IIS_Server ] OR
([| inputlookup FileName.csv | search Type="Prod" | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers])
| timechart span=5m count by host

but when I start placing  that search in a dashboard with user inputs it looks like this:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

Once implemented I get a "Search is wating for input..." even after selecting an input and clicking the submit button.

But I found the solution for the dashboard is:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_Server ] OR
([| inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

So if you noticed the difference it's the <$field> with the return command. I don't understand the difference between  <$field> and <field>.
I've searched everywhere and the documentation on it still confuses me, even posts from this community forum. Why does it matter when it comes into the dashboard?
But when I use either format ( <$field> and <field>) for normal searching it doesn't have a problem and actually spits back the exact same results between the two. Which according to the documentation and from research that's not even supposed to happen. But it throws a fit when I place it into the dashboard. Can someone ELI5?

Some Sources that I've used and don't make much sense to me:

https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/SearchReference/Return

 

 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-07-2023 10:01 PM

I honestly have never encountered use of <$field> in SPL because SPL generally uses bare string for field name, and <$token$> for token name.  If return is not the only command that uses this syntax, it must be among an extreme few.  And as you just experience, using <$field> notation does more harm than good.

So, why does the following give you "waiting for input?"

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

If you are a compiler and scan the command, you'll see the following potential tokens in need of population:

  1. $Type_of_deployment$
  2. $IIS_Server ] OR
    ([| inputlookup FileName.csv |$
  3. $IIS_for_XServers cs_uri_stem=$
  4. $Span_Timechart$

You may have $Type_of_deployment$ and $Span_Timechart$ defined in your dashboard input, but I am sure not the others.  Hence "waiting for input."

You can report this as a Simple XML bug.  There may be some strategies for the scanner to tokenize $IIS_Server within that subsearch as an alternative format for return command.  But in practice, it is easier to just forget that return command has an alternative format for field name, and stick to using bare word.  The documentation clearly says that there is no semantic difference.

0 Karma
Reply

SubtotalAMG
Loves-to-Learn Lots
‎06-08-2023 03:57 PM

Compiler view helped me understand the problem and the alternative solution worked as well thank you!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2023 09:40 PM

Tokens (I presume Type_of_deployment is a token set by some input on your dashboard) are delimited by dollar signs and the search will wait for the input for the token to be completed. The search is probably waiting for a token called "IIS_for_XServers cs_uri_stem=" (which doesn't exist) - try doubling up the dollars for the variables

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_for_XServers cs_uri_stem=$$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

 

0 Karma
Reply

SubtotalAMG
Loves-to-Learn Lots
‎06-08-2023 03:56 PM

You're alternative solution worked thank you!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...