Solved: Wrapping fieldnames in $...$ breaks saved search

jcbrendsel · ‎01-31-2011

I am wrapping numerically names fields in $...$ to force splunk to interpret them as field names. This works great in interactive search, but is breaking saved search.

For example:

eval 800k=round($800k$/360,1)

generates the following error when used in a saved search:

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/360,1)'

Any idea why?

Paolo_Prigione · ‎01-31-2011

$ is the symbol used in dashboard forms to mark the tokens which will be substituted by the selected values. As saved searches can be used in dashboards, I think when you execute them the dollar sign is substitued by a non-existent token, therefore an empty string, causing a syntax error.

View solution in original post

s_n · ‎02-15-2012

Old topic but someone may find it via google looking for a solution.
For me saved search with map command, to which $variable$ is passed worked in the following way...

savedsearch_1:

foo | map savedsearch_2 var1=$var1$ var2=$var2$

savedsearch_2:

search bar | where var1=$var1$ var2=$var2$ | head 1

Trying different syntax like:

    foo | map search="search bar | where var1=\"$var1\" var2=\"var2\" | head 1"

worked well in interactive search but on saved and scheduled the variables weren't passed to the map command so the search always was returning no results.

sideview · ‎05-31-2011

If you're using Sideview Utils, strings wrapped in dollar sign characters are treated as dynamic tokens in almost every param and context you can imagine. So if you're using dollar signs within a Sideview "Search" module, for instance, then it will look up the value of the "800k" field, find nothing there, and substitute an empty string.

In short, if you are using Sideview Utils, I'd avoid ever using dollar signs in field names, because you're kind of playing with fire here.

However, if you do need to use them, in short just use two consecutive dollar signs to represent one. There's more and it's all covered in the documentation for the HTML module. Look in Sideview Utils for the HTML docs, and specifically for the section titled "What if I actually need to print a dollar sign?"

David · ‎01-31-2011

There may be a better way, but you could always rename:

YourSearch | rename 800k as DescriptiveFieldName | eval DescriptiveFieldName=round(DescriptiveFieldName/360,1)

Paolo_Prigione · ‎01-31-2011

$ is the symbol used in dashboard forms to mark the tokens which will be substituted by the selected values. As saved searches can be used in dashboards, I think when you execute them the dollar sign is substitued by a non-existent token, therefore an empty string, causing a syntax error.

gkanapathy · ‎02-01-2011

Using single quotes ' instead of dollar signs $ seems to work for me.

jcbrendsel · ‎01-31-2011

Any suggestion on how I work around this?

Wrapping fieldnames in $...$ breaks saved search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life