Using a windows pathname in a searchTemplate in a ...

steveta_uk · ‎07-13-2012

I have logs from various sources, including windows. I have written a simple form for selecting which directory to analyze, with a dynamically populated radio list to select the directory. It doesn't work on windows due the "\" characters in the directory name.

  .searchTemplate. index=main dir="$dir$" ./searchTemplate.
  .fieldset.
    .input type="radio" token="dir".
    .label.Select directory ./label.
    .choice value="*">Any./choice.
    .populatingSearch 
    fieldForValue="dir" 
    fieldForLabel="dir".
    .![CDATA[index=main sourcetype=syslog | stats count by dir]].
     ./populatingSearch.
      ./input.
    ...

("<" and ">" removed to get this to display at all).

I have no control over the values in "dir" - any windows path including "\" fails the search, and any that ends with "\" (not uncommon) give a PARSER error
"Applying intentions failed unbalanced quotes."

Is there some syntax that will allow the dir="$dir$" clause to pass the value unescaped?

thanks.

steveta_uk · ‎07-13-2012

Fixed. The trick was to add a space to the variable in quotes so the final " is not escaped, then trim it in the search.

| where dir=rtrim("$dir$ ")

Using a windows pathname in a searchTemplate in a form.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation