Dashboards & Visualizations

Why is a token to filter a saved search not working in a report?

vtsguerrero
Contributor

Hello guys, sup?

I've been facin' this problem for a little while. I have a report ( saved search ) which gives me three status=green,yellow and red.
And I have two filters in my dashboard:

Filter One - Status = $status$ [ radio button ]
Filter Two - Channel = $channel$ [ multiple input text ]

And down under these, some graphics. ( timecharts )

The problem is, the second filter, the text input should show channels based on the first input, the radio - status.
The radio input holds static choice for radio ( green, yellow and red ) with $status$ as a token
And the text input query is the following:

| savedsearch report_resumo | WHERE Status=$status$ | stats by Channel_Name

If I use just status filter, my query and graphics both work based on the saved search, but If I try to filter channels per status ( as they're dynamic fields from the saved search - report ) they're not showing any results at all.
Whats the best way to solve this?

Thanks in advance!

1 Solution

dolivasoh
Contributor

I may be incorrect but the Boolean expression in the where clause should look like == "$status$" . Or you could try changing "where" to "search" .

I'd also recommend experimenting with placing actual search language in tokens instead of just field values. You may find a few neat tricks down that route.

View solution in original post

dolivasoh
Contributor

I may be incorrect but the Boolean expression in the where clause should look like == "$status$" . Or you could try changing "where" to "search" .

I'd also recommend experimenting with placing actual search language in tokens instead of just field values. You may find a few neat tricks down that route.

dfoster_splunk
Splunk Employee
Splunk Employee

If you use $status|s$ then it will automatically add quotes and escape anything else weird inside the token, such as backslashes. I don't think backslashes apply here, but it is a general technique to be aware of.

dolivasoh
Contributor

Can you explain this more? At first I thought it was some kind of typo but now it looks like you're piping to a string? I wasn't aware of these kinds of token... commands is the word for it?

0 Karma

dolivasoh
Contributor

Found it.

Token filters

Token filters ensure that you correctly capture the value of a token.
Filter Description
Wrap value in quotes
$token_name|s$ Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.
HTML format
$token_name|h$ Ensures that the token value is valid for HTML formatting.

Token values for the element use this filter by default.
URL format
$token_name|u$ Ensures that the token value is valid to use as a URL.

Token values for the element use this filter by default.

vtsguerrero
Contributor

Worked perfectly! Thanks @dolivasoh !
Seems like the problem really was using tokens $$ with the double quotes "" .
I was acttually able to filter the report with the WHERE command, thanks a lot!

dolivasoh
Contributor

Excellent work. I'm always on the fence about using quotes. I try to only use them for values with spaces.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...