Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Trying to extract a string from a delimited token value in a dashboard to be used in a field search

beetlegeuse
Path Finder
‎03-11-2026 03:20 PM

I have a dropdown input type in a dashboard that has a token aligned with it (we'll call it $dropdown_value$); the values in the dropdown look similar to this:

This is a value 1234 (ABC):abcd

I'm trying to extract the string after the colon (abcd) for use in a query; this is the query I'm testing, but it's not working ("No results found" returned in the query's dashboard panel):

index=summary environment=prod report=blah 
| eval my_rex_field="$dropdown_value$" 
| rex field=my_rex_field "[A-Za-z0-9\s\(\)]+\:(?<agentroot>[A-Za-z0-9\W]+)" 
| search AgentName=agentroot

Any ideas regarding where I may be going astray? The token value looks correct as I have it included in the panel title, and the rex works as expected in regex101. I've also tried using split/mvindex to no avail.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2026 03:44 PM

Try

| where AgentName=agentroot

If this doesn't work, please be more expansive about what works and what doesn't work

Also, why not use abcd as the value for the dropdown and the full string as the label?

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2026 03:44 PM

Try

| where AgentName=agentroot

If this doesn't work, please be more expansive about what works and what doesn't work

Also, why not use abcd as the value for the dropdown and the full string as the label?

Reply
Solved! Jump to solution

beetlegeuse
Path Finder
‎03-11-2026 09:07 PM

Using the "where" command did not work; after reading your question, though, I took another look at how my dropdown input stanza was defined.

I'm using a query to auto-populate the input; by default, the results are used for both the label and the value. After adding the fieldForLabel and fieldForValue tags and adjusting the stats command in the query to reference the correct fields for each of those tags (AgentName for fieldForValue and another field for fieldForLabel), I now have the dropdown looking exactly how I want it without the need for splitting out the token value.

Thank you!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...