Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Esacaping the slash

splunkpoornima
Communicator
‎11-06-2012 08:43 PM

Hi all,

By selecting the sources, in the search app i got the search query as

source="c:\taskmanager\taskmanager_log|Transaction TaskAction startswith=START endswith=Succeeded|

but i want the query to be as 

source="c:\\taskmanager\\taskmanager_log|Transaction TaskAction startswith|

please verify the Xml code below and reply the changes to do..


Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.


which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main


index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>
  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>
  <---->
  <module name="Sorter" layoutPanel="panel_row4_col1_grp1">
    <param name="sortKey">totalCount</param>
    <param name="sortDir">desc</param>
    <param name="fields">
      <list>
        <param name="label">Source</param>
        <param name="value">source</param>
      </list>
      <list>
        <param name="label">Total Count</param>
        <param name="value">totalCount</param>
      </list>
      <list>
        <param name="label">First Time</param>
        <param name="value">firstTime</param>
      </list>
    </param>

    <module name="Paginator">
      <param name="count">10</param>
      <param name="entityName">settings</param>
      <param name="maxPages">10</param>

      <!--  This next module generates the blue links. Note that although it configures its own internal search, 
      it has a flag that allows it to apply intentions from the main context to its internal search.  
      -->
      <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$ </param>       
             <param name="settingToCreate">list1</param>
              <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>

              <module name="HiddenSearch">
                <param name="search"></param>
                 <param name="search">
                  source="$pub$"| transaction TaskBP startswith=START endswith=Succeeded
                </param>
                <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>


        <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">

            <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>

              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>
Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-07-2012 08:27 AM

You seem to have two "search" parameters in your HiddenSearch for your updated search string. Remove the empty parameter.

0 Karma
Reply

smolcj
Builder
‎11-07-2012 02:11 AM

Hi,
i am not pretty sure about the issue, but i can help you to identify whether your issue is same as mine.
1. save your log in C folder (without including any directories or sub directories)
2. ....(yoursearch)| replace *\\* with *\\\\* in source
if you are getting your expected result you can start playing around to find a suitable regex to replace all the slashes in your source 🙂
you can refer this answer also

0 Karma
Reply

splunkpoornima
Communicator
‎11-15-2012 05:30 AM

in the hidden search i tried this (replace *\* with *\\* in source

but it shows me error

0 Karma
Reply

smolcj
Builder
‎11-08-2012 01:20 AM

not familiar with Hadoop. i think u can update the hidden search including this regex.
thanks

0 Karma
Reply

splunkpoornima
Communicator
‎11-07-2012 10:17 PM

where to replace *\* with *\\* ..actually i am getting the data source directlty from the Hadoop

0 Karma
Reply

Ayn
Legend
‎11-07-2012 01:05 AM

Oh, also please start indenting code blocks with 4 spaces when pasting here on this site. Otherwise the formatting will be incorrect and your questions will then make even less sense...

Reply

Ayn
Legend
‎11-07-2012 01:04 AM

It's a bit rude to command people to read through a page or two of XML code just for "verifying". Identify which specific problems you're having, which specific section of the code you deem to be relevant, then paste that.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...