topic Re: Esacaping the slash in Splunk Search

Esacaping the slash

splunkpoornima — Wed, 07 Nov 2012 04:43:55 GMT

Hi all,

By selecting the sources, in the search app i got the search query as

source="c:\taskmanager\taskmanager_log|Transaction TaskAction startswith=START endswith=Succeeded|

but i want the query to be as

source="c:\\taskmanager\\taskmanager_log|Transaction TaskAction startswith|

please verify the Xml code below and reply the changes to do..

Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.

which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main

index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>
  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>
  <---->
  <module name="Sorter" layoutPanel="panel_row4_col1_grp1">
    <param name="sortKey">totalCount</param>
    <param name="sortDir">desc</param>
    <param name="fields">
      <list>
        <param name="label">Source</param>
        <param name="value">source</param>
      </list>
      <list>
        <param name="label">Total Count</param>
        <param name="value">totalCount</param>
      </list>
      <list>
        <param name="label">First Time</param>
        <param name="value">firstTime</param>
      </list>
    </param>

    <module name="Paginator">
      <param name="count">10</param>
      <param name="entityName">settings</param>
      <param name="maxPages">10</param>

      <!--  This next module generates the blue links. Note that although it configures its own internal search, 
      it has a flag that allows it to apply intentions from the main context to its internal search.  
      -->
      <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$ </param>       
             <param name="settingToCreate">list1</param>
              <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>

              <module name="HiddenSearch">
                <param name="search"></param>
                 <param name="search">
                  source="$pub$"| transaction TaskBP startswith=START endswith=Succeeded
                </param>
                <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>


        <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">

            <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>

              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>

Re: Esacaping the slash

Ayn — Wed, 07 Nov 2012 09:04:52 GMT

It's a bit rude to command people to read through a page or two of XML code just for "verifying". Identify which specific problems you're having, which specific section of the code you deem to be relevant, then paste that.

Re: Esacaping the slash

Ayn — Wed, 07 Nov 2012 09:05:39 GMT

Oh, also please start indenting code blocks with 4 spaces when pasting here on this site. Otherwise the formatting will be incorrect and your questions will then make even less sense...

Re: Esacaping the slash

smolcj — Wed, 07 Nov 2012 10:11:39 GMT

Hi,
i am not pretty sure about the issue, but i can help you to identify whether your issue is same as mine.
1. save your log in C folder (without including any directories or sub directories)
2. ....(yoursearch)| replace *\\* with *\\\\* in source
if you are getting your expected result you can start playing around to find a suitable regex to replace all the slashes in your source 🙂
you can refer this answer also

Re: Esacaping the slash

sowings — Wed, 07 Nov 2012 16:27:43 GMT

You seem to have two "search" parameters in your HiddenSearch for your updated search string. Remove the empty parameter.

Re: Esacaping the slash

splunkpoornima — Thu, 08 Nov 2012 06:17:57 GMT

where to replace *\* with *\\* ..actually i am getting the data source directlty from the Hadoop

Re: Esacaping the slash

smolcj — Thu, 08 Nov 2012 09:20:07 GMT

not familiar with Hadoop. i think u can update the hidden search including this regex.
thanks

Re: Esacaping the slash

splunkpoornima — Thu, 15 Nov 2012 13:30:26 GMT

in the hidden search i tried this (replace *\* with *\\* in source

but it shows me error