Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

populating a search with a domain in user field

maboltins
Engager
‎09-11-2012 09:57 PM

Essentially I have a working search but in the original data the username field is populated with a "\" entry eg "splunk\fred". so if I use this in a populating search for a drop-down box this won't work as a filter as you need to have this format "\\"

Anyone have any suggestions on how to manage this?

Original strings:

<![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user]]>


...
Applications
sourcetype=pan_traffic src_user="$username$" host="$site$" | top application
Application
Count
bar

...

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-14-2012 12:29 PM

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-14-2012 12:29 PM

Try this:

  <populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
          <![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user 
          | eval src_user_label = replace(src_user,"\\","\\\\") ]]>
        </populatingsearch>
        <chart>
    ...
      <title>Applications</title>
      <searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>

This should give you 2 fields for the drop-down: src_user, which you can use for your search, and src_user_label. src_user_label is the same field, but is in the form <domain>\\<username> instead of <domain>\<username> You have to double up on the \ because the replace function uses regular expressions.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎09-14-2012 12:21 PM

Ah - thank goodness for the missing slashes - I just inserted them for you. They make the following answer possible!

0 Karma
Reply
Solved! Jump to solution

maboltins
Engager
‎09-11-2012 11:55 PM

In this case yes, if it's not too hard i'd like to keep domain agnosic ie if i had to package this to allow for any domain.

I just noticed the slashes are missing from my post note there's supposed to be a slash between and a double slash at the end of the first paragraph.

Reply
Solved! Jump to solution

lguinn2
Legend
‎09-11-2012 11:35 PM

Is it a known list of domains?

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...