topic Re: Splunk Query Fails When I use '/' in Query in Getting Data In

Splunk Query Fails When I use '/' in Query

pramit46 — Mon, 20 Nov 2017 09:13:08 GMT

I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23

It shows "No Results Found"

But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?

Re: Splunk Query Fails When I use '/' in Query

kamlesh_vaghela — Mon, 20 Nov 2017 09:17:41 GMT

Please try this.

index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)

Re: Splunk Query Fails When I use '/' in Query

gcusello — Mon, 20 Nov 2017 09:38:46 GMT

Hi pramit46,
Use brackets

index="idx" sourcetype="st" host="host" Port="1/0/23"

otherwise use regex command

| regex "1\/0\/23"

Bye.
Giuseppe

Re: Splunk Query Fails When I use '/' in Query

pramit46 — Mon, 20 Nov 2017 10:11:59 GMT

I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.

Re: Splunk Query Fails When I use '/' in Query

pramit46 — Mon, 20 Nov 2017 10:12:50 GMT

I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.

Re: Splunk Query Fails When I use '/' in Query

kamlesh_vaghela — Mon, 20 Nov 2017 10:27:57 GMT

Hi @pramit46,

You can set custom drilldown on that panel.

Can you please try below code in panel drilldown?

 <drilldown>
          <link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>

Change drilldown token "$row.Port$" as per your requirement.

Thanks

Re: Splunk Query Fails When I use '/' in Query

pramit46 — Tue, 29 Sep 2020 16:50:50 GMT

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

Re: Splunk Query Fails When I use '/' in Query

gcusello — Mon, 20 Nov 2017 10:50:34 GMT

Yes quotes!
Bye.
Giuseppe

Re: Splunk Query Fails When I use '/' in Query

pramit46 — Tue, 21 Nov 2017 06:56:54 GMT

I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela