I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23
It shows "No Results Found"
But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?
I read this trick somewhere and it worked for me:
index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"
Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")
I read this trick somewhere and it worked for me:
index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"
Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")
Hi pramit46,
Use brackets
index="idx" sourcetype="st" host="host" Port="1/0/23"
otherwise use regex command
| regex "1\/0\/23"
Bye.
Giuseppe
I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.
Yes quotes!
Bye.
Giuseppe
Please try this.
index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)
I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.
Hi @pramit46,
You can set custom drilldown on that panel.
Can you please try below code in panel drilldown?
<drilldown>
<link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&earliest=-24h@h&latest=now</link>
</drilldown>
Change drilldown token "$row.Port$"
as per your requirement.
Thanks
I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela