I have logs from various sources, including windows. I have written a simple form for selecting which directory to analyze, with a dynamically populated radio list to select the directory. It doesn't work on windows due the "\" characters in the directory name.
.searchTemplate. index=main dir="$dir$" ./searchTemplate.
.fieldset.
.input type="radio" token="dir".
.label.Select directory ./label.
.choice value="*">Any./choice.
.populatingSearch
fieldForValue="dir"
fieldForLabel="dir".
.![CDATA[index=main sourcetype=syslog | stats count by dir]].
./populatingSearch.
./input.
...
("<" and ">" removed to get this to display at all).
I have no control over the values in "dir" - any windows path including "\" fails the search, and any that ends with "\" (not uncommon) give a PARSER error
"Applying intentions failed unbalanced quotes."
Is there some syntax that will allow the dir="$dir$" clause to pass the value unescaped?
thanks.
Fixed. The trick was to add a space to the variable in quotes so the final " is not escaped, then trim it in the search.
| where dir=rtrim("$dir$ ")