topic Missing extra backslash in a "source" token to work properly in search query, any ideas? in Dashboards & Visualizations

Missing extra backslash in a "source" token to work properly in search query, any ideas?

mpham07 — Wed, 30 Sep 2020 00:54:22 GMT

Hello all,

I am relatively new to Splunk and creating dashboard with XML, so any recommendations and tips are greatly appreciated.

So I have a dashboard with a drop-down menu with a list of sources - I did this because we a have a weekly CSV report so the user can pick a file based on its date within the file name. When the panel relying on the "source" token to do the search, it's missing a backslash to work properly. The source code and explanation below.

Drop-down menu:

<input type="dropdown" token="source_csv" searchWhenChanged="true">
      <label>Select a report week:</label>
      <prefix>source=</prefix>
      <default>*</default>
      <choice value="*">All</choice>
      <fieldForLabel>source</fieldForLabel>
      <fieldForValue>source</fieldForValue>
      <search>
        <query>
          index="example_reports" | chart count by source 
        </query>
      </search>
    </input>

So when a panel with the search below is done, nothing shows up because it's missing a backslash.

host="example_host" index="example_index" $source_csv$ | stats distinct_count(ip)

The search query comes out as:

host="example_host" index="example_index" source=D:\example\report-2018-12-25.csv | stats distinct_count(ip)

The issue is that the source value needs two backslashes for it to work:
source=D:\example\report-2018-12-25.csv

Is there anyway to get the token to have two backslashes to the directory with the token or search query? Thank you in advance.

I did search for solutions on this by adding |s$ and search string, but couldn't get it to work right...

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

jkat54 — Thu, 13 Jun 2019 13:52:33 GMT

Yes, try this in your dynamic search that populates the drop down or prior to using the token in sub panels.

 | rex mode=sed field=source "s/\\/\\/"

  | eval field=$source$
  | rex mode=sed field=source "s/\\\/\\\\\\\/"

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

mpham07 — Wed, 30 Sep 2020 00:54:25 GMT

Hello jkat54,

I tried both and they didn't work, I get a "Could not create search. Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."

Is this the correct way to input the search in the drop-down panel? Thanks again.

host="example_host" index="example_index" | rex mode=sed field=source "s/\/\/"| chart count by source

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

jazzypai — Thu, 13 Jun 2019 14:46:35 GMT

To troubleshoot, do the following (this works but just to explain the process);

| makeresults count=1
| eval source="D:\example\report-2015-05-05.csv"
| rex field=source mode=sed "s/\\\/\\\\\\\/g"

You'll see the result you desired, hopefully, I do.. But once your regex is confirmed then put it in your search and carry on.

I tried using the regex provided above and didn't see the result you wanted so it most likely wouldn't work even with your search provided.

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

mpham07 — Thu, 13 Jun 2019 15:09:47 GMT

Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:

host="example_host" index="example_index"  | rex field=source mode=sed "s/\\\/\\\\\\\/g" | chart count by source

Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

mpham07 — Wed, 30 Sep 2020 00:54:36 GMT

With the help of jazzypai and jkat54, the answer is below:

Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:

host="example_host" index="example_index" | rex field=source mode=sed "s/\\/\\\\/g" | chart count by source

Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D

Re: Missing extra backslash in a "source" token to work properly in search query, any ideas?

jazzypai — Thu, 13 Jun 2019 15:27:58 GMT

Glad it worked out! Good job!