Splunk Search

Inputlookup, Return command <$Field> and <Field> confusion with Dashboard Implementation?

SubtotalAMG
Loves-to-Learn Lots

Hey All, 

So I'm relatively new to Splunk. I have a csv file that has multiple computers and I've created a dashboard trying to get reports based on the parameters the user chooses. The search by itself is fine and is this:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv | search Type="Prod" | return host=IIS_Server ] OR
([| inputlookup FileName.csv | search Type="Prod" | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers])
| timechart span=5m count by host

but when I start placing  that search in a dashboard with user inputs it looks like this:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

Once implemented I get a "Search is wating for input..." even after selecting an input and clicking the submit button.

But I found the solution for the dashboard is:

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_Server ] OR
([| inputlookup FileName.csv | $Type_of_deployment$ | return host=IIS_for_XServers cs_uri_stem=Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

So if you noticed the difference it's the <$field> with the return command. I don't understand the difference between  <$field> and <field>.
I've searched everywhere and the documentation on it still confuses me, even posts from this community forum. Why does it matter when it comes into the dashboard?
But when I use either format ( <$field> and <field>) for normal searching it doesn't have a problem and actually spits back the exact same results between the two. Which according to the documentation and from research that's not even supposed to happen. But it throws a fit when I place it into the dashboard. Can someone ELI5?

Some Sources that I've used and don't make much sense to me:

https://community.splunk.com/t5/Splunk-Search/How-to-use-INPUTLOOKUP-command-in-splunk/m-p/92212

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/SearchReference/Return

 

 

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I honestly have never encountered use of <$field> in SPL because SPL generally uses bare string for field name, and <$token$> for token name.  If return is not the only command that uses this syntax, it must be among an extreme few.  And as you just experience, using <$field> notation does more harm than good.

So, why does the following give you "waiting for input?"


index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$IIS_for_XServers cs_uri_stem=$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

If you are a compiler and scan the command, you'll see the following potential tokens in need of population:

  1. $Type_of_deployment$
  2. $IIS_Server ] OR
    ([| inputlookup FileName.csv |$
  3. $IIS_for_XServers cs_uri_stem=$
  4. $Span_Timechart$

You may have $Type_of_deployment$ and $Span_Timechart$ defined in your dashboard input, but I am sure not the others.  Hence "waiting for input."

You can report this as a Simple XML bug.  There may be some strategies for the scanner to tokenize $IIS_Server within that subsearch as an alternative format for return command.  But in practice, it is easier to just forget that return command has an alternative format for field name, and stick to using bare word.  The documentation clearly says that there is no semantic difference.

0 Karma

SubtotalAMG
Loves-to-Learn Lots

Compiler view helped me understand the problem and the alternative solution worked as well thank you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Tokens (I presume Type_of_deployment is a token set by some input on your dashboard) are delimited by dollar signs and the search will wait for the input for the token to be completed. The search is probably waiting for a token called "IIS_for_XServers cs_uri_stem=" (which doesn't exist) - try doubling up the dollars for the variables

index=whatever sourcetype=whateverXxX
[ | inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_Server ] OR
([| inputlookup FileName.csv |$Type_of_deployment$ | return host=$$IIS_for_XServers cs_uri_stem=$$Pattern_for_Servers])
| timechart span=$Span_Timechart$ count by host

 

0 Karma

SubtotalAMG
Loves-to-Learn Lots

You're alternative solution worked thank you!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...