I am wondering why when I search with the original query it pulls all of the data I want and displays it the way I want.
product=Windows status=failure Failure_Reason="*" Account_Name=$Account_Name_token$ | stats count by Failure_Reason, Status, Workstation_Name | sort - count |
However, when I input the token portion of the query and adjust the source code within the dashboard it does not display the same data?
"Account_Name=$Account_Name_token$" should not remove data right? This makes no sense to me
Attached is a picture of what the dashboard source code looks like.
I have reviewed the documentation.
I can tell you that the Splunk instance is on 6.6.2 and not 7.1 (client has been informed of this) and if that is the overriding issue obviously they need to upgrade.
I appreciate Any help or insight.
Hi @Hegemon76 ,
Did you have a chance to check out an answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.
Thanks for posting!
The original query looks like this
product=Windows status=failure FailureReason="*" | stats count by FailureReason, Status, Workstation_Name | sort - count |
I add in "AccountName=$AccountName_token$" once the dashboard has been made.