Getting Data In

How to replace single backslash (\) with double back slash(\\) from a base search result which is a token value and it is used as an input for the sub search?

sureshmurgan
Path Finder

Base Search:
We are fetching the data from the field named WMIError as given below,

WMIError="Unable to connect to root\cimv2*" (This is taken as the input value for the subsearch as a drill down)

      <set token="WMI">$row.WMIError$</set>       (Here it is taken as the input)

Subsearch (Drilldown) :

  <title>Host details for $WMI$"</title>
   <table>
    <search>
     ADSite_Membership="$WMI$"
    </search>
  </table>
</panel>

It is not resulting anything as the token value has a backslash to it (Unable to connect to root\cimv2).

How to replace single backslash () with double back slash(\) from this token before searching from here? Any help is appreciated.

0 Karma

woodcock
Esteemed Legend

Change your drilldown search from this:

  ADSite_Membership="$WMI$"

To this:

| makeresults 
| eval value="$WMI$"
| map search="search ADSite_Membership=\"$$value$$\""

BTW, you should never, ever Ever, EVER rely on indexes_searched_by_default in your production stuff.

0 Karma

sureshmurgan
Path Finder

This didn't work on my first attempt, will try this as well. Thanks Wood!

0 Karma

woodcock
Esteemed Legend

I actually tested it and it worked for me on 7.2.something.

0 Karma

sureshmurgan
Path Finder

Here's the entire source code for better understanding. Here drilldown is not returning any result because base search result has one backslash to it. We need to somehow change the resulting value in the base search which is the input for drill down, to replace \ to \ and it should happen automatically when we click on the resulting base search row value where it only has single backslash, ( WMIError="Unable to connect to root\cimv2"). Need some modification in the drill down search.

Time

 <earliest>-24h@h</earliest>
 <latest>now</latest>






 <search>
   <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="Unable to connect to root\\cimv2*" 

           |dedup host
           |stats count(host) as #Hosts by WMIError

           |sort 0 - #Hosts
           |addcoltotals #Hosts</query>
   <earliest>$field1.earliest$</earliest>
   <latest>$field1.latest$</latest>
   <sampleRatio>1</sampleRatio>
 </search>
 <option name="count">20</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="percentagesRow">false</option>
 <option name="rowNumbers">false</option>
 <option name="totalsRow">false</option>
 <option name="wrap">true</option>
 <drilldown>
   <set token="WMI">$row.WMIError$</set>
 </drilldown>







 <search>
   <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="$WMI$"
          |convert ctime(_time) as Time timeformat="%d-%m-%Y %H:%M:%S"
          |stats latest(WMIError) as WMIError values(Time) as Time BY host</query>
   <earliest>$field1.earliest$</earliest>
   <latest>$field1.latest$</latest>
 </search>
0 Karma

sureshmurgan
Path Finder

Here's the entire source code for better understanding. Here drilldown is not returning any result because base search result has one backslash to it. We need to somehow change the resulting value in the base search which is the input for drill down, to replace \ to \ and it should happen automatically when we click on the resulting base search row value where it only has single backslash, For eg : WMIError="Unable to connect to root\cimv2"

WMi Test

<input type="time" token="field1">
  <label>Time</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="Unable to connect to root\\cimv2*" 

              |dedup host
              |stats count(host) as #Hosts by WMIError

              |sort 0 - #Hosts
              |addcoltotals #Hosts</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="WMI">$row.WMIError$</set>
    </drilldown>
  </table>
</panel>


<panel depends="$WMI$">
  <title>Host details for $WMI$</title>
  <table>
    <search>
      <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="$WMI$"
             |convert ctime(_time) as Time timeformat="%d-%m-%Y %H:%M:%S"
             |stats latest(WMIError) as WMIError values(Time) as Time BY host</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </table>
</panel>
0 Karma

koshyk
Super Champion

I'm not sure if the reason is related to backslash,
but if you want single backslash to double, please do something like below

| eval WMIError = replace(WMIError, "\\\\","\\\\\\")

This will convert single to double backslash

sureshmurgan
Path Finder

This worked right when I added it to my base query.
Search result of the base query had an additional backslash but it fits the purpose. Thanks koshyk!

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...