Splunk Search

Passing token to dashboard query

nagarjuna119
Engager

Passing a token to dashboard using below is not working, dashboard is stuck on "search is waiting for input"

message below is a json field so using spath to parse its fields, I have used the token in the title and it showed the right value, and below query works fine without token 

index="indextest" source="my source" sourcetype="ab-xyz" | spath input=message | UserName = $UserName_Token$
| table JobServiceId CreateDateTime Status UserName 

 

 

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

There's an error in your SPL. This is not valid SPL, but maybe that's a typo

 

...
| UserName = $UserName_Token$
...

 

Did you mean?

| where UserName = "$UserName_Token$"

Note quotes

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

There's an error in your SPL. This is not valid SPL, but maybe that's a typo

 

...
| UserName = $UserName_Token$
...

 

Did you mean?

| where UserName = "$UserName_Token$"

Note quotes

0 Karma

nagarjuna119
Engager

That worked if I select a specific value thank you.
However when I use  * as default value to return all the entires it does't return any results 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is where the use of '| where' or '| search' is relevant.

If using where, then it's a regex, so just having * will not work, it needs to be .* but if you use search you can just use * as the wildcard, but it's less precise as using where.

 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...