Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search run to nothing when I passed a variable contain backlash

ToniHuynh
Explorer
‎07-26-2020 08:16 PM

Hi everyone,

I am trying to search for a file path (e.g. C:\Finance\Salary) but the result return none. It works if I type directly C:\\Finance\\Salary but it does not work if I passed it to a variable. Although the variable shows correct value.

 

 

index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="PTL*" Account_Name!="*$" 
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary") 
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\") 
| search Object_Name=FilePath
| dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription 
| table _time host Account_Name Account_Domain Object_Name FilePath Accesses EventCodeDescription 
| sort _time desc

 

 

The below search will show result if I replace: 

 

 

|eval Object_Name="C:\\Finance\\Salary"

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmugglet
Communicator
‎07-29-2020 10:27 PM

Just noticed.
In your original query

 

| eval FilePath=urldecode("C%3A%5CFinance%5CSalary") 
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\") 
| search Object_Name=FilePath


You're setting FilePath in 1st line
Then setting it again in the next line?

Should second line be ?

| eval Object_Name = replace(ObjectName  etc etc

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:01 PM


try where instead of search, it's easier to determine if Splunk is looking for an Object_Name with the value FilePath, or if it's looking an Object_Name field with the same value as the FilePath field you created.


i.e.

where Object_Name==FilePath

Otherwise you could use regex 

where match(Object_Name,"^C\:\\Finance\\Salary")

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ToniHuynh
Explorer
‎07-26-2020 11:40 PM

Thanks for your response but both of your suggestions do not work. Actually, I would like to decode the FilePath with sent from the main dashboard to the drilldown dashboard. The urldecode shows correct path and I put       | eval FileName=replace(ObjectName,"\\\\","\\\\\\")   to change it to "C:\\Finance\\Salary" but don't know why there is no matched to that. However, if I put direct |search Object_Name="C:\\Finance\\Salary" then it shows matched results.

0 Karma
Reply
Solved! Jump to solution
Solution

kmugglet
Communicator
‎07-29-2020 10:27 PM

Just noticed.
In your original query

 

| eval FilePath=urldecode("C%3A%5CFinance%5CSalary") 
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\") 
| search Object_Name=FilePath


You're setting FilePath in 1st line
Then setting it again in the next line?

Should second line be ?

| eval Object_Name = replace(ObjectName  etc etc

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-27-2020 01:59 AM

search can't compare field values. you should use where at the case.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...