Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I not able to save search in dashboard because of $ sign in search?

shaileshmali
Path Finder
‎05-26-2017 12:34 PM

Not able to save search in dashboard because of $ sign in search query.

match(RelativeURI,"/identity/enhanced-authentication/tasks/~/search") AND match (HttpMethod,"POST"), "TASK1",
match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"POST"), "TASK2",
match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"POST"), "TASK3",
match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"GET"), "TASK4",
match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"GET"), "TASK5")
0 Karma
Reply

micahkemp
Champion
‎05-26-2017 01:26 PM

Dashboards use $ to denote fields requiring input, such as $earliest, $latest, etc. It's probably failing to correctly parse that.

Try escaping the dollar signs in your search by doubling them up:

     match(RelativeURI,"/identity/enhanced-authentication/tasks/~/search") AND match (HttpMethod,"POST"), "TASK1",
     match(RelativeURI,"/identity/enhanced-authentication/tasks$$") AND match (HttpMethod,"POST"), "TASK2",
     match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"POST"), "TASK3",
     match(RelativeURI,"/identity/enhanced-authentication/tasks$$") AND match (HttpMethod,"GET"), "TASK4",
     match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"GET"), "TASK5")
Reply

niketn
Legend
‎05-26-2017 01:48 PM

Agree to @micahkemp's point, due to two $ signs in the same pipe, it is making Splunk search to treat the same as token in a dashboard. Escaping the $ sign with $$ should work for you.

Here is another option for you by breaking the case statement in two parts with a run anywhere example:

| makeresults
| eval RelativeURI="/identity/enhanced-authentication/tasks/*"
| eval HttpMethod="GET"
| eval test=case(
 match(RelativeURI,"/identity/enhanced-authentication/tasks/~/search") AND match (HttpMethod,"POST"), "TASK1",
 match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"POST"), "TASK2",
 match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"POST"), "TASK3")
| eval test=case(match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"GET"), "TASK4",
 match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"GET"), "TASK5",
 true(),test)
| table RelativeURI HttpMethod test
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...