Splunk Search

slash error in the source

splunkpoornima
Communicator

hi all

i have created the view contains the dropdown for index and if i select the index i will get all the sources in that index like below

alt text

then if i select the any source i takes me to the search app as

alt text

here the source contains only one single backslash ..but i need double back slash in my source

This is the rough piece of code i have used ..to get the double slash in my source please tel help at what place i have to modify the code ..


Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.


which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main


index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>

  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>

  <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$</param>
param name="applyOuterIntentionsToInternalSearch">True</param>
          <param name="settingToCreate">list1</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>
        <module name="HiddenSearch">
             <param name="search"> source=$pub$| transaction TaskBP startswith=START endswith=Succeeded </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>

             <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">
             <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param> 

thanks in advance

poornima

Tags (2)
0 Karma
1 Solution

smolcj
Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

View solution in original post

0 Karma

smolcj
Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

0 Karma

Ayn
Legend

Awesome 🙂

0 Karma

splunkpoornima
Communicator

hi guys,

finally i tried |rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s/\///g"

it works properly...

thanks all of of you ...

0 Karma

smolcj
Builder

cool, now you can write a gex to replace the front slash to backslash |rex mode=sed field=source "s/\///g" i.e. "sfrontslashbackslashfrontslashfrontslashfrontslashg"
because of the formatting done by splunkbase backslash in second place i skipped.. read it and replace those words with corresponding slashes
thank you

0 Karma

splunkpoornima
Communicator

hi ayn,

now i am getting lik below

source=C:\/Users\/20875\/Desktop\/TaskManager\/TaskManager_all.txt | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Ayn
Legend

You need to add the rex statement to the populating search in your SearchLinkLister (the one using the metadata command).

0 Karma

splunkpoornima
Communicator

Hi Ayn ,

i tried ..but i get in the search app i got

source=C:\Users\20875\Desktop\TaskManager\TaskManager_all.txt | rex mode=sed field=source "s/\{1}/\\\//g" | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Ayn
Legend

The second rex statement in the answer is empty - I don't know what the idea is there, but I think you should just remove it and use only the first rex statement. See what it gives you.

0 Karma

splunkpoornima
Communicator

hi all

i tried since i am getting the error

0 Karma

sruthy
Explorer

i think the regex in comment is missing some slashes, can you try with the one posted in answer.

0 Karma

splunkpoornima
Communicator

hi smolcj ...thanks for your response i actually did what u have quoted it shows some error like

PARSER: Applying intentions failed Error in 'rex' command: Failed to initialize sed. Empty regular expression.

Encountered an unexpected error while parsing intentions.

0 Karma

smolcj
Builder


source=$pub$|rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s////g"| transaction TaskBP startswith=START endswith=Succeeded
i think this will work
thank you

0 Karma

splunkpoornima
Communicator

i have searchLinkLister and also the Hiddensearch ..does i have to use the command in both the places??? or oly in hiddensearch

0 Karma

Ayn
Legend

In your search.

0 Karma

splunkpoornima
Communicator

actually in the above code where to insert this

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

Poornima,

One option is to change the format of sources returned in your query rather than trying to change it when it is clicked.

Change this search:
| metadata type=sources $index$

to this:
| metadata type=sources $index$ | rex mode=sed field=source "s/\{1}/\\\//g"

splunkpoornima
Communicator

hi Okrabbe

Thanks for your answer ..

as u said i changed the query as above in both places in( Hidden search and also in the searchLinkLister) but still it is not coming

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...