topic Re: drop down menu with source in Getting Data In

drop down menu with source

smolcj — Tue, 06 Nov 2012 10:27:16 GMT

Is it not possible to create a Drop Down menu populating source files as the input?
I have tried using both simple xml and advanced xml. the source filename is replaced in the view results but results are not obtained.

Re: drop down menu with source

Ayn — Tue, 06 Nov 2012 10:35:40 GMT

Could you explain more clearly what you're trying to do? What is replaced, what results are you talking about etc...

Re: drop down menu with source

smolcj — Tue, 06 Nov 2012 10:51:01 GMT

In my form i need a drop down box and a flaschart. the dropdown box is populated with source and by selecting the source a search is done and i should get a chart.
the search query used to populate drop down box is like
index=main sourcetype=* | top source
and it is populated with all the source values . good!.
then my search template is like
index=main source=$tokenusedindropdown$ mysearch| chart count by Field_PC
i am pretty sure than the query will work properly to obtain the chart. issue here is the filepath
single backslash on source filepath should replaced by double. i tried rex using 'sed' and 'sedcmd'
still not work
please help

Re: drop down menu with source

Ayn — Tue, 06 Nov 2012 10:58:04 GMT

You can check what the search looks like if you choose the "Jobs" link to the upper right in splunkweb. There you can confirm if the search looks as it should or if there is something wrong with it.

Re: drop down menu with source

smolcj — Tue, 06 Nov 2012 11:12:15 GMT

I am sure about my search query as i used it with text box inputs and saved searches. now i inspected through 'jobs' as AYN suggested, there too i found the filepath as the issue. can u help me with a rex to replace sourcefilename.
i tried with '/s', as i am not good in rex, i am not able to debug the issue

Re: drop down menu with source

sowings — Tue, 06 Nov 2012 15:15:49 GMT

Hint: If you're searching for the source field, | metadata type=sources index=<index> is going to be much faster than index=main | top source. The latter has to search all of the data in the index, while the former only consults the metadata. Much less information is read from disk, and the search will be much faster.

Re: drop down menu with source

sowings — Tue, 06 Nov 2012 16:14:31 GMT

Additionally, you will want to transform the 'source' field to accommodate Windows paths before setting it in the replacement token (i.e., as part of your search to populate the pulldown). See this answer for a helpful regex.

Re: drop down menu with source

smolcj — Wed, 07 Nov 2012 06:02:08 GMT

so Do i have to use transformation for the source field? can u suggest the regex needed to transform the backslash in source file name to double backslash
thanks

Re: drop down menu with source

Ayn — Wed, 07 Nov 2012 09:02:11 GMT

Something like

... | rex mode=sed field=source "s/\\/\\\\/g"

or similar should get you going. Splunkweb can be a bit tricky to work with when it comes to backslashes so you might need to apply more or less, but that's just a matter of playing around a bit 🙂

Re: drop down menu with source

smolcj — Wed, 07 Nov 2012 10:05:48 GMT

Thanks Ayn , but i already tried it and i am getting an error. "Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
But when i tried with replace *\* with *\\* in source, it worked for first backslash and i am playing around to make it happen for all the slashes
THANK YOU

Re: drop down menu with source

Ayn — Wed, 07 Nov 2012 10:12:08 GMT

Like I said, you might need to play around a bit with the number of backslashes, due to the way Splunkweb handles things. Don't stop trying just because you got an error with that specific regex I showed you.

Re: drop down menu with source

smolcj — Wed, 07 Nov 2012 10:21:03 GMT

i was wondering that when i am trying with replace command

    "...|replace *\* with *\\* in source" 

(asterisk followed by 2 or 4 slashes and then asterisk again)

, it worked well for first backslash.

'C:/folder/filename.txt' is replaced by 'C://folder/filename.txt' i wish it happened for the second slash also.

THANK YOU

Re: drop down menu with source

Ayn — Wed, 07 Nov 2012 10:23:18 GMT

From the docs on replace: "Replaces a single occurrence of the first string with the second within the specified fields". You can't use replace. Use rex.

Re: drop down menu with source

smolcj — Wed, 07 Nov 2012 11:13:39 GMT

ha, finally it worked with this regex.. if somebody knows much effective one please help..
..| rex mode=sed field=source "s/\\\{1}/\\\\\//g" | rex mode=sed field=source "s/\///g"

THANK YOU

Re: drop down menu with source

splunkpoornima — Thu, 15 Nov 2012 13:08:16 GMT

hi smolcj

Actually i am also facing the same problem..i have created the view and i have the sources in the form of link lister

my doubt is in which piece of code we hav to use this above command

Re: drop down menu with source

smolcj — Thu, 15 Nov 2012 13:15:42 GMT

as i mentioned, i am using a dropdown box in this view.i.e. user will select a source from the dropdown box and he will get some statistics of that source, number of event bla bla bla... so i used this rex along with the search used to populate the dropdown box.
hop it helped you
thanks

Re: drop down menu with source

smolcj — Thu, 15 Nov 2012 13:16:57 GMT

you are right.. replace is for onetime use.. thank you