Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to trim the last line from query

avni26
Explorer
‎07-29-2019 10:54 AM

Hi ,
I am passing my search query in token using $job.search$, want to remove the last line from the query.
For example , my query is
index="idx2" report="ABC"
| table number,description,description,group,sev ,closurec, created, state, closed_date
| timechart count by state
So , I want to evaluate/pass only below in defined token
index="idx2" report="ABC"
| table number,description,description,group,sev ,closurec, created, state, closed_date
Please let me know , how to remove the line after last occurrence of pipe"|" and retain all things before it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2019 12:40 PM

Try editing the token as part of the drilldown. Edit the source dashboard's source and you'll see something like this:

<drilldown>
  <link target="_blank">search?q=$job.search$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>

A little-known feature of Simple XML is the ability to modify tokens before invoking the drilldown. I haven't done a lot with this feature, so I'm not sure of all it can do or even if it can do what is below. Experiment and let us know how it goes.

<drilldown>
  <eval token="job_search">$job.search$</eval>
  <eval token="srch">rex field=$job_search$ "(?<srch>.*)\|"</eval>
  <link target="_blank">search?q=index=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

avni26
Explorer
‎07-30-2019 04:10 AM

@richgalloway
Thank you for your response. It not worked. After using rex field, drilldown coming like below
rex field=search index="idx2" report="ABC" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state "(?.*)|"
Please suggest.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2019 07:04 AM

What does your <drilldown> paragraph look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

avni26
Explorer
‎07-30-2019 09:07 AM

@richgalloway Please see below.

<search>
 <query>index="idx2" report="ABC" | table 
  number,description,description,group,sev,closurec, created, state, closed_date
  |stats count by state                 
  </query>
  <set token="job_search">$job.search$</set>
  <set token="srch">rex field=$job_search$ "(?.*)\|"</set>
 </search>
 <option name="drilldown">cell</option>
 <drilldown>
  <link target="_blank">search?q=$srch$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$&amp;form.sel_group=$sel_group$&amp;;display.page.search.mode=smart&amp;dispatch.sample_ratio=1%0A&amp;workload_pool=&amp;display.page.search.tab=statistics&amp;display.general.type=statistics
 </drilldown>
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2019 09:48 AM

Have you tried the code from my answer? The code that uses <eval token... and not <set token...? The eval and set options do different things.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

avni26
Explorer
‎07-31-2019 12:12 AM

Yes , that also not worked. 😞

0 Karma
Reply

jacobpevans
Motivator
‎07-29-2019 11:46 AM

Adding to @richgalloway 's answer, the full regex would look like this:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|[^\|]+"

(?<search>.*)\s*\|[^\|]+
(?<search>.*) - Grab everything .* in the job.search field and assign it to the new field search
\s*\|[^\|]+ - Match anything with any number of spaces \s followed by a pipe | followed by any number of non-pipe characters [^\|]+. Since they are not within the parentheses, all matching characters are discarded.

You could also force it to match the timechart command:

| makeresults
| eval job.search="index=\"idx2\" report=\"ABC\" | table number,description,description,group,sev ,closurec, created, state, closed_date | timechart count by state"
| rex  field=job.search "(?<search>.*)\s*\|\s*timechart[^\|]+"
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2019 11:17 AM

It's not clear at what point you want to change $job.search$, but you may be able to use rex.

... | eval search=$job.search$ | rex field=search "(?<token>.*)\|" | ...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

avni26
Explorer
‎07-29-2019 11:59 AM

@richgalloway wanted this for drilldown to open in new window. For this I am passing whole search query in one token to drilldown. But facing challenge when query conatins stats/timechart at the end.

0 Karma
Reply

avni26
Explorer
‎07-29-2019 12:07 PM

I am trying something like this inside the search query, but Its not working

replace($job.search$,"\[|\]|\"","")

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...