Dashboards & Visualizations

Using a windows pathname in a searchTemplate in a form.


I have logs from various sources, including windows. I have written a simple form for selecting which directory to analyze, with a dynamically populated radio list to select the directory. It doesn't work on windows due the "\" characters in the directory name.

  .searchTemplate. index=main dir="$dir$" ./searchTemplate.
    .input type="radio" token="dir".
    .label.Select directory ./label.
    .choice value="*">Any./choice.
    .![CDATA[index=main sourcetype=syslog | stats count by dir]].

("<" and ">" removed to get this to display at all).

I have no control over the values in "dir" - any windows path including "\" fails the search, and any that ends with "\" (not uncommon) give a PARSER error
"Applying intentions failed unbalanced quotes."

Is there some syntax that will allow the dir="$dir$" clause to pass the value unescaped?


Tags (3)
0 Karma


Fixed. The trick was to add a space to the variable in quotes so the final " is not escaped, then trim it in the search.

| where dir=rtrim("$dir$ ")

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!