Dashboards & Visualizations

Using a windows pathname in a searchTemplate in a form.


I have logs from various sources, including windows. I have written a simple form for selecting which directory to analyze, with a dynamically populated radio list to select the directory. It doesn't work on windows due the "\" characters in the directory name.

  .searchTemplate. index=main dir="$dir$" ./searchTemplate.
    .input type="radio" token="dir".
    .label.Select directory ./label.
    .choice value="*">Any./choice.
    .![CDATA[index=main sourcetype=syslog | stats count by dir]].

("<" and ">" removed to get this to display at all).

I have no control over the values in "dir" - any windows path including "\" fails the search, and any that ends with "\" (not uncommon) give a PARSER error
"Applying intentions failed unbalanced quotes."

Is there some syntax that will allow the dir="$dir$" clause to pass the value unescaped?


Tags (3)
0 Karma


Fixed. The trick was to add a space to the variable in quotes so the final " is not escaped, then trim it in the search.

| where dir=rtrim("$dir$ ")

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...