ha, finally it worked with this regex.. if somebody knows much effective one please help..
..| rex mode=sed field=source "s/\\\{1}/\\\\\//g"
| rex mode=sed field=source "s/\///g"
THANK YOU
ha, finally it worked with this regex.. if somebody knows much effective one please help..
..| rex mode=sed field=source "s/\\\{1}/\\\\\//g"
| rex mode=sed field=source "s/\///g"
THANK YOU
as i mentioned, i am using a dropdown box in this view.i.e. user will select a source from the dropdown box and he will get some statistics of that source, number of event bla bla bla... so i used this rex along with the search used to populate the dropdown box.
hop it helped you
thanks
hi smolcj
Actually i am also facing the same problem..i have created the view and i have the sources in the form of link lister
my doubt is in which piece of code we hav to use this above command
Hint: If you're searching for the source field, | metadata type=sources index=<index>
is going to be much faster than index=main | top source
. The latter has to search all of the data in the index, while the former only consults the metadata. Much less information is read from disk, and the search will be much faster.
you are right.. replace is for onetime use.. thank you
From the docs on replace: "Replaces a single occurrence of the first string with the second within the specified fields". You can't use replace. Use rex.
i was wondering that when i am trying with replace command
"...|replace *\* with *\\* in source"
(asterisk followed by 2 or 4 slashes and then asterisk again)
, it worked well for first backslash.
'C:/folder/filename.txt' is replaced by 'C://folder/filename.txt' i wish it happened for the second slash also.
THANK YOU
Like I said, you might need to play around a bit with the number of backslashes, due to the way Splunkweb handles things. Don't stop trying just because you got an error with that specific regex I showed you.
Thanks Ayn , but i already tried it and i am getting an error. "Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
But when i tried with replace *\* with *\\* in source, it worked for first backslash and i am playing around to make it happen for all the slashes
THANK YOU
Something like
... | rex mode=sed field=source "s/\\/\\\\/g"
or similar should get you going. Splunkweb can be a bit tricky to work with when it comes to backslashes so you might need to apply more or less, but that's just a matter of playing around a bit 🙂
so Do i have to use transformation for the source field? can u suggest the regex needed to transform the backslash in source file name to double backslash
thanks
Additionally, you will want to transform the 'source' field to accommodate Windows paths before setting it in the replacement token (i.e., as part of your search to populate the pulldown). See this answer for a helpful regex.
I am sure about my search query as i used it with text box inputs and saved searches. now i inspected through 'jobs' as AYN suggested, there too i found the filepath as the issue. can u help me with a rex to replace sourcefilename.
i tried with '/s', as i am not good in rex, i am not able to debug the issue
You can check what the search looks like if you choose the "Jobs" link to the upper right in splunkweb. There you can confirm if the search looks as it should or if there is something wrong with it.
In my form i need a drop down box and a flaschart. the dropdown box is populated with source and by selecting the source a search is done and i should get a chart.
the search query used to populate drop down box is like
index=main sourcetype=* | top source
and it is populated with all the source values . good!.
then my search template is like
index=main source=$tokenusedindropdown$ mysearch| chart count by Field_PC
i am pretty sure than the query will work properly to obtain the chart. issue here is the filepath
single backslash on source filepath should replaced by double. i tried rex using 'sed' and 'sedcmd'
still not work
please help
Could you explain more clearly what you're trying to do? What is replaced, what results are you talking about etc...