Splunk Search

Splunk 6.6.2: Why is inputting the token portion of the search and adjusting the source code within the dashboard, does not display the same data?

Hegemon76
Communicator

Hello

I am wondering why when I search with the original query it pulls all of the data I want and displays it the way I want.

product=Windows status=failure Failure_Reason="*" Account_Name=$Account_Name_token$ | stats count by Failure_Reason, Status, Workstation_Name | sort - count |

However, when I input the token portion of the query and adjust the source code within the dashboard it does not display the same data?

"Account_Name=$Account_Name_token$" should not remove data right? This makes no sense to me

Attached is a picture of what the dashboard source code looks like.

I have reviewed the documentation.
I can tell you that the Splunk instance is on 6.6.2 and not 7.1 (client has been informed of this) and if that is the overriding issue obviously they need to upgrade.

I appreciatealt text Any help or insight.

Thank you.

0 Karma

evania
Splunk Employee
Splunk Employee

Hi @Hegemon76 ,

Did you have a chance to check out an answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma

Hegemon76
Communicator

The only person who responded to this was me.....

0 Karma

Hegemon76
Communicator

No one has seen this issue before? Geez

0 Karma

Hegemon76
Communicator

Correction

The original query looks like this

product=Windows status=failure Failure_Reason="*" | stats count by Failure_Reason, Status, Workstation_Name | sort - count |

I add in "Account_Name=$Account_Name_token$" once the dashboard has been made.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...