Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard/ Report Input fields and static options

NaorPenso
Explorer
‎06-30-2014 10:48 PM

Hi Guys,

Quick questions regarding the adding of input fields to reports and dashboards (on Splunk 6.1.1).
When i add an input field (all except time) I define the search that will populate the fields.
everything works great but if the populated field has more than one word (i.e. "3 word field") than i need to use quotation marks in the prefix and suffix of the field. that is also great but then i am not able to use a static field for all as it requires a * and with the prefix/suffix it is looking for "*" and not *

Is there any resolution for that issue?
Thanks in advance,
Naor

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-01-2014 12:36 AM

In this case... the token is a field filter (to the left of the first pipe), or it is prefixed by |search

The prefix is:

yourfield="

the suffix is:
"

Static options are:

Name: ALL

value: *

Your search is:

index=whatever $token_here$ |stats count by blah
which becomes either:

index=whatever yourfield="The Value Here" |stats count by blah

OR
index=whatever yourfield="*" |stats count by blah

OR
index=whatever |search yourfield="The Value Here" |stats count by blah


OR
index=whatever |search yourfield="*" |stats count by blah


what you probably did... was just put the quotes in prefix/suffix... but the prefix containing the field will help it all make sense... (I did that the first time too... )

To see the effect, if the panel doesn't show data... click on the little magnifying glass on the lower left hand corner of the panel (you have to hover over it for it to appear). That will run the panel in search and you'll see how the token resolved. That helps a lot. At least that helped me. 😉

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-03-2014 10:40 AM

Please explain what you think the difference between filed="" and field= is in this case?
Because I see no behavioral difference... but maybe you can enlighten?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

NaorPenso
Explorer
‎07-03-2014 03:51 AM

Hi rsennett,
Unfortunately i know how it's resolved in the search but as you said it is resolved like this:
index=whatever yourfield="*" |stats count by blah
I need a way to be able to search for * for that field without quotes, but still have the ability to use multiple words in that field (i.e. "CASE 123123")

Any advice?
thanks in advance,
Naor Penso.

P.S
I have another open issue that we talked about and if you have the time to have another look it would be great 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...