Splunk Search

Esacaping the slash

splunkpoornima
Communicator

Hi all,

By selecting the sources, in the search app i got the search query as

source="c:\taskmanager\taskmanager_log|Transaction TaskAction startswith=START endswith=Succeeded|

but i want the query to be as

source="c:\\taskmanager\\taskmanager_log|Transaction TaskAction startswith|

please verify the Xml code below and reply the changes to do..


Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.


which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main


index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>
  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>
  <---->
  <module name="Sorter" layoutPanel="panel_row4_col1_grp1">
    <param name="sortKey">totalCount</param>
    <param name="sortDir">desc</param>
    <param name="fields">
      <list>
        <param name="label">Source</param>
        <param name="value">source</param>
      </list>
      <list>
        <param name="label">Total Count</param>
        <param name="value">totalCount</param>
      </list>
      <list>
        <param name="label">First Time</param>
        <param name="value">firstTime</param>
      </list>
    </param>

    <module name="Paginator">
      <param name="count">10</param>
      <param name="entityName">settings</param>
      <param name="maxPages">10</param>

      <!--  This next module generates the blue links. Note that although it configures its own internal search, 
      it has a flag that allows it to apply intentions from the main context to its internal search.  
      -->
      <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$ </param>       
             <param name="settingToCreate">list1</param>
              <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>

              <module name="HiddenSearch">
                <param name="search"></param>
                 <param name="search">
                  source="$pub$"| transaction TaskBP startswith=START endswith=Succeeded
                </param>
                <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>


        <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">

            <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>

              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
Tags (1)
0 Karma

sowings
Splunk Employee
Splunk Employee

You seem to have two "search" parameters in your HiddenSearch for your updated search string. Remove the empty parameter.

0 Karma

smolcj
Builder

Hi,
i am not pretty sure about the issue, but i can help you to identify whether your issue is same as mine.
1. save your log in C folder (without including any directories or sub directories)
2. ....(yoursearch)| replace *\\* with *\\\\* in source
if you are getting your expected result you can start playing around to find a suitable regex to replace all the slashes in your source 🙂
you can refer this answer also

0 Karma

splunkpoornima
Communicator

in the hidden search i tried this (replace *\* with *\\* in source

but it shows me error

0 Karma

smolcj
Builder

not familiar with Hadoop. i think u can update the hidden search including this regex.
thanks

0 Karma

splunkpoornima
Communicator

where to replace *\* with *\\* ..actually i am getting the data source directlty from the Hadoop

0 Karma

Ayn
Legend

Oh, also please start indenting code blocks with 4 spaces when pasting here on this site. Otherwise the formatting will be incorrect and your questions will then make even less sense...

Ayn
Legend

It's a bit rude to command people to read through a page or two of XML code just for "verifying". Identify which specific problems you're having, which specific section of the code you deem to be relevant, then paste that.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...