Archive

slash error in the source

Communicator

hi all

i have created the view contains the dropdown for index and if i select the index i will get all the sources in that index like below

alt text

then if i select the any source i takes me to the search app as

alt text

here the source contains only one single backslash ..but i need double back slash in my source

This is the rough piece of code i have used ..to get the double slash in my source please tel help at what place i have to modify the code ..


Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.


which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main


index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>

  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>

  <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$</param>
param name="applyOuterIntentionsToInternalSearch">True</param>
          <param name="settingToCreate">list1</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>
        <module name="HiddenSearch">
             <param name="search"> source=$pub$| transaction TaskBP startswith=START endswith=Succeeded </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>

             <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">
             <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param> 

thanks in advance

poornima

Tags (2)
0 Karma
1 Solution

Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

View solution in original post

0 Karma

Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

View solution in original post

0 Karma

Legend

Awesome 🙂

0 Karma

Communicator

hi guys,

finally i tried |rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s/\///g"

it works properly...

thanks all of of you ...

0 Karma

Builder

cool, now you can write a gex to replace the front slash to backslash |rex mode=sed field=source "s/\///g" i.e. "sfrontslashbackslashfrontslashfrontslashfrontslashg"
because of the formatting done by splunkbase backslash in second place i skipped.. read it and replace those words with corresponding slashes
thank you

0 Karma

Communicator

hi ayn,

now i am getting lik below

source=C:\/Users\/20875\/Desktop\/TaskManager\/TaskManager_all.txt | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Legend

You need to add the rex statement to the populating search in your SearchLinkLister (the one using the metadata command).

0 Karma

Communicator

Hi Ayn ,

i tried ..but i get in the search app i got

source=C:\Users\20875\Desktop\TaskManager\TaskManager_all.txt | rex mode=sed field=source "s/\{1}/\\\//g" | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Legend

The second rex statement in the answer is empty - I don't know what the idea is there, but I think you should just remove it and use only the first rex statement. See what it gives you.

0 Karma

Communicator

hi all

i tried since i am getting the error

0 Karma

Explorer

i think the regex in comment is missing some slashes, can you try with the one posted in answer.

0 Karma

Communicator

hi smolcj ...thanks for your response i actually did what u have quoted it shows some error like

PARSER: Applying intentions failed Error in 'rex' command: Failed to initialize sed. Empty regular expression.

Encountered an unexpected error while parsing intentions.

0 Karma

Builder


source=$pub$|rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s////g"| transaction TaskBP startswith=START endswith=Succeeded
i think this will work
thank you

0 Karma

Communicator

i have searchLinkLister and also the Hiddensearch ..does i have to use the command in both the places??? or oly in hiddensearch

0 Karma

Legend

In your search.

0 Karma

Communicator

actually in the above code where to insert this

0 Karma

Splunk Employee
Splunk Employee

Poornima,

One option is to change the format of sources returned in your query rather than trying to change it when it is clicked.

Change this search:
| metadata type=sources $index$

to this:
| metadata type=sources $index$ | rex mode=sed field=source "s/\{1}/\\\//g"

Communicator

hi Okrabbe

Thanks for your answer ..

as u said i changed the query as above in both places in( Hidden search and also in the searchLinkLister) but still it is not coming

0 Karma