Splunk Search

what is the signifincance of $ symbol in splunk ??

rakesh_498115
Motivator

Hi..

I know that the dolloar $ is used for variables . like $a or $b something like this.In splunk i have seen in few posts like $results[0].Field$ which is giving the 0th value of Field , if that is the case , a search result generally returns one or more rows ryt ?? can i print all the search results using $results[0...].Field$ variable ?? Is there is a way in splunk to do it ??

can you please me .and justify the usage of two "$" symbols in splunk..

thnx in advance.

Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

It's a convention started by Splunk, and in core Splunk it's used in several notable places

-- to show where selected values should be slotted into searches via the "stringreplace" intention, and stringreplace intentions can be generated by Splunk UI modules.
-- to print dynamic values in the SimpleResultsHeader module.
-- to show where arguments should be slotted into macros that take arguments. (not all macros take arguments so you might never have seen this).

Sideview Utils then takes this convention much further.

-- Almost every sideview module param accepts $foo$ tokens. And you don't need to convert anything to an intention first, or use intentions at all. the raw tokens are simply plugged into the corresponding $foo$ slot in the value.
-- There's actually a page in Sideview Utils that attempts to broadly summarize and classify all of the different $foo$ tokens that are available, what modules create them and why.

(in the Sideview Utils app, go to "Key Techniques > Other > overview of all the new $foo$ keys"

You can download the latest Sideview Utils from here (2.2.2) -
http://sideviewapps.com/apps/sideview-utils/

Note that the version on Splunkbase is quote old (1.3.6)

Also, Note that the $results[0].fieldName$ convention is only a convention inside the HTML module. It's described a fair bit in the docs around the HTML module in Sideview Utils, and I think also on the general $foo$ token page described above.

View solution in original post

sideview
SplunkTrust
SplunkTrust

It's a convention started by Splunk, and in core Splunk it's used in several notable places

-- to show where selected values should be slotted into searches via the "stringreplace" intention, and stringreplace intentions can be generated by Splunk UI modules.
-- to print dynamic values in the SimpleResultsHeader module.
-- to show where arguments should be slotted into macros that take arguments. (not all macros take arguments so you might never have seen this).

Sideview Utils then takes this convention much further.

-- Almost every sideview module param accepts $foo$ tokens. And you don't need to convert anything to an intention first, or use intentions at all. the raw tokens are simply plugged into the corresponding $foo$ slot in the value.
-- There's actually a page in Sideview Utils that attempts to broadly summarize and classify all of the different $foo$ tokens that are available, what modules create them and why.

(in the Sideview Utils app, go to "Key Techniques > Other > overview of all the new $foo$ keys"

You can download the latest Sideview Utils from here (2.2.2) -
http://sideviewapps.com/apps/sideview-utils/

Note that the version on Splunkbase is quote old (1.3.6)

Also, Note that the $results[0].fieldName$ convention is only a convention inside the HTML module. It's described a fair bit in the docs around the HTML module in Sideview Utils, and I think also on the general $foo$ token page described above.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...