Splunk Dev

How do I prevent Splunk from automatically removing spaces from my search query?

poneill1703
New Member

Hi,

I've been using Splunk 6.4 to create a set dashboard panels. I've come a across an issue where I have the following query:

index=index Category="$Category_1$" | eval eval_1=substr(field_1,1,7) | top limit=$TopNo_1$ eval_1 | fields - percent

This query works perfectly when I first write and save it to a panel. However, once I leave the dashboard and come back into it, the panel no longer returns anything because the query has been changed to this:

index=index Category="$Category_1$" | eval eval_1=substr(field_1,1,7) | top limit=$TopNo_1$ eval_1 | fields-percent

The spaces in the fields section get removed. Instead of removing the percent field, it tries to show only the -percent field, which does not exist. Now it doesn't seem to matter what I try with that fields, if I try "percent", or try moving that segment to the middle of the query. Both of these tweaks work at first, but ultimately the spaces get removed.

Sometimes this query does stay the way I need it to. However, on the same dashboard, I have a second panel which faces the same problem. What then becomes the case is that one panel will be fine, but the other is broken, and when I fix the second panel, the first panel breaks, and then vice versa if I fix the first panel.

I have tried going directly into the source and making changes there, but the same issue occurs.

So my question is, has anyone ever encountered this problem before? Can anyone suggest a work around?

Thanks.

Tags (1)
0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Poneill1703,

I have tried creating a panel in a dashboard using a similar query don't see this happening. I'm using Chrome. Not sure if is caused by the IE browser you use. Could you please try in a different browser?

Thanks!
Hunter

0 Karma

poneill1703
New Member

Hi Hunter,

I'm only permitted to use IE on my work laptop.

This problem is hit and miss for me. I've seen this occur before, but fortunately the issue didn't persist.

Thanks

0 Karma

james_hopton
New Member

We are having the same issue. We primarily use IE as well. I will test in Firefox and Microsoft Edge.

0 Karma

james_hopton
New Member

I've narrowed it down to IE. With the following example it will do it every time. Edit the dashboard and just change the last underscore in the title to a space or back. Or change the drilldown from cell to row or back. Save and refresh the page. I tested with MS Edge and Firefox and neither had the problem.

James_Test_dash_strip_test

<panel>
  <table>
    <title>Top Host,Index and Sourcetype Today</title>
    <search>
      <query>index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage | stats sparkline(sum(b),1h) as Today, sum(b) as Bytes,latest(poolsz) as poolsz by h,idx,st | eval Gbytes=round(Bytes/1024/1024/1024,2) | eval lic=round(poolsz/1024/1024/1024,0) | eval Lic_Pct=round(Gbytes/lic*100,2) | sort -Gbytes | head 10 | fields - lic,poolsz,Bytes | rename idx AS index | rename h AS host | rename st AS sourcetype</query>
      <earliest>@d</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">row</option>
    <option name="wrap">false</option>
  </table>
</panel>
0 Karma

lguinn2
Legend

I've not seen this. What browser are you using? Does it happen if you use a different browser?

0 Karma

poneill1703
New Member

I'm using Internet Explorer 11. I'm only permitted to use this browser on my work laptop, so I don't know if this happens on different browsers.

0 Karma

davebrooking
Contributor

What happens if you add a comment at the end of the search, or use a noop command, so your search becomes

index=index Category="$Category_1$" | eval eval_1=substr(field_1,1,7) | top limit=$TopNo_1$ eval_1 | fields - percent `comment("comment text")`

or

index=index Category="$Category_1$" | eval eval_1=substr(field_1,1,7) | top limit=$TopNo_1$ eval_1 | fields - percent | noop
0 Karma

poneill1703
New Member

Hi,

I tried adding the noop command. Same thing, the spaces get removed. I apply the change to one of my panels, and it sticks. However, the other panel then breaks. And then vice versa if I apply the change to the second panel, the first panel breaks again because the spaces get removed.

I tried adding the comment as suggested above, but the syntax does not work for me.

Thanks.

0 Karma

davebrooking
Contributor

Hi

It appears that the comment macro was shipped in Splunk 6.5. The documentation for 6.4 shows how to create the macro.

However, I don't think this will solve your issue if the noop didn't work. It was a long shot and I thought the removal of the spaces may have been related to whether the fields command was the last portion of the search, and maybe adding 'extras' may have fooled the system into not removing the spaces.

Dave

0 Karma

poneill1703
New Member

Yeah, I had the same thinking and tried moving the fields parts to the middle of the query, but no dice.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...