Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query Fails When I use '/' in Query

pramit46
Contributor
‎11-20-2017 01:13 AM

I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23

It shows "No Results Found"

But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pramit46
Contributor
‎11-20-2017 02:41 AM

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pramit46
Contributor
‎11-20-2017 02:41 AM

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 01:38 AM

Hi pramit46,
Use brackets

index="idx" sourcetype="st" host="host" Port="1/0/23"

otherwise use regex command

| regex "1\/0\/23"

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 02:11 AM

I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 02:50 AM

Yes quotes!
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 01:17 AM

Please try this.

index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)
0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 02:12 AM

I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 02:27 AM

Hi @pramit46,

You can set custom drilldown on that panel.

Can you please try below code in panel drilldown?

 <drilldown>
          <link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>

Change drilldown token "$row.Port$" as per your requirement.

Thanks

Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 10:56 PM

I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...