Splunk Search

Splunk 6.6.2: Why is inputting the token portion of the search and adjusting the source code within the dashboard, does not display the same data?

Communicator

Hello

I am wondering why when I search with the original query it pulls all of the data I want and displays it the way I want.

product=Windows status=failure Failure_Reason="*" Account_Name=$Account_Name_token$ | stats count by Failure_Reason, Status, Workstation_Name | sort - count |

However, when I input the token portion of the query and adjust the source code within the dashboard it does not display the same data?

"Account_Name=$Account_Name_token$" should not remove data right? This makes no sense to me

Attached is a picture of what the dashboard source code looks like.

I have reviewed the documentation.
I can tell you that the Splunk instance is on 6.6.2 and not 7.1 (client has been informed of this) and if that is the overriding issue obviously they need to upgrade.

I appreciatealt text Any help or insight.

Thank you.

0 Karma

Community Manager
Community Manager

Hi @Hegemon76 ,

Did you have a chance to check out an answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma

Communicator

The only person who responded to this was me.....

0 Karma

Communicator

No one has seen this issue before? Geez

0 Karma

Communicator

Correction

The original query looks like this

product=Windows status=failure FailureReason="*" | stats count by FailureReason, Status, Workstation_Name | sort - count |

I add in "AccountName=$AccountName_token$" once the dashboard has been made.

0 Karma