Getting Data In

Splunk Query Fails When I use '/' in Query

pramit46
Contributor

I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23

It shows "No Results Found"

But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?

0 Karma
1 Solution

pramit46
Contributor

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

View solution in original post

0 Karma

pramit46
Contributor

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi pramit46,
Use brackets

index="idx" sourcetype="st" host="host" Port="1/0/23"

otherwise use regex command

| regex "1\/0\/23"

Bye.
Giuseppe

0 Karma

pramit46
Contributor

I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes quotes!
Bye.
Giuseppe

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Please try this.

index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)
0 Karma

pramit46
Contributor

I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @pramit46,

You can set custom drilldown on that panel.

Can you please try below code in panel drilldown?

 <drilldown>
          <link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>

Change drilldown token "$row.Port$" as per your requirement.

Thanks

pramit46
Contributor

I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...