Dashboards & Visualizations

How to trim the last line from query

avni26
Explorer

Hi ,
I am passing my search query in token using $job.search$, want to remove the last line from the query.
For example , my query is
index="idx2" report="ABC"
| table number,description,description,group,sev ,closurec, created, state, closed_date
| timechart count by state

So , I want to evaluate/pass only below in defined token
index="idx2" report="ABC"
| table number,description,description,group,sev ,closurec, created, state, closed_date

Please let me know , how to remove the line after last occurrence of pipe"|" and retain all things before it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try editing the token as part of the drilldown. Edit the source dashboard's source and you'll see something like this:

<drilldown>
  <link target="_blank">search?q=$job.search$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>

A little-known feature of Simple XML is the ability to modify tokens before invoking the drilldown. I haven't done a lot with this feature, so I'm not sure of all it can do or even if it can do what is below. Experiment and let us know how it goes.

<drilldown>
  <eval token="job_search">$job.search$</eval>
  <eval token="srch">rex field=$job_search$ "(?<srch>.*)\|"</eval>
  <link target="_blank">search?q=index=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>
---
If this reply helps you, Karma would be appreciated.
0 Karma

avni26
Explorer

@richgalloway
Thank you for your response. It not worked. After using rex field, drilldown coming like below
rex field=search index="idx2" report="ABC" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state "(?.*)|"
Please suggest.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What does your <drilldown> paragraph look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma

avni26
Explorer

@richgalloway Please see below.

<search>
 <query>index="idx2" report="ABC" | table 
  number,description,description,group,sev,closurec, created, state, closed_date
  |stats count by state                 
  </query>
  <set token="job_search">$job.search$</set>
  <set token="srch">rex field=$job_search$ "(?.*)\|"</set>
 </search>
 <option name="drilldown">cell</option>
 <drilldown>
  <link target="_blank">search?q=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$&amp;form.sel_group=$sel_group$&amp;;display.page.search.mode=smart&amp;dispatch.sample_ratio=1%0A&amp;workload_pool=&amp;display.page.search.tab=statistics&amp;display.general.type=statistics
 </drilldown>
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried the code from my answer? The code that uses <eval token... and not <set token...? The eval and set options do different things.

---
If this reply helps you, Karma would be appreciated.
0 Karma

avni26
Explorer

Yes , that also not worked. 😞

0 Karma

jacobpevans
Motivator

Adding to @richgalloway 's answer, the full regex would look like this:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|[^\|]+"

(?<search>.*)\s*\|[^\|]+
(?<search>.*) - Grab everything .* in the job.search field and assign it to the new field search
\s*\|[^\|]+ - Match anything with any number of spaces \s followed by a pipe | followed by any number of non-pipe characters [^\|]+. Since they are not within the parentheses, all matching characters are discarded.

You could also force it to match the timechart command:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|\s*timechart[^\|]+"
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear at what point you want to change $job.search$, but you may be able to use rex.

... | eval search=$job.search$ | rex field=search "(?<token>.*)\|" | ...

---
If this reply helps you, Karma would be appreciated.
0 Karma

avni26
Explorer

@richgalloway wanted this for drilldown to open in new window. For this I am passing whole search query in one token to drilldown. But facing challenge when query conatins stats/timechart at the end.

0 Karma

avni26
Explorer

I am trying something like this inside the search query, but Its not working

replace($job.search$,"\[|\]|\"","")

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...