Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Modify Multiselect Dropdown Menus for Indexes and Backslashes Using Tokens in Splunk

otto1
Observer
‎10-03-2024 05:01 AM

Hello Splunkers, 

I started to use splunk uni forwarder in my job and I am kinda new to systems.


My dashboard working good with standart ALL option in multiselection but when it comes to select multiple indexes from menu I've got a huge problem.

My multiselect search index is:

index="myindex"

sourcetype="pinginfo"

source="C:\\a\\b\\c\\d\\e\\f f\\g\\h\\ı-i-j\\porty*"


|table source
|dedup source

 
but when I pass  this token to reports as:

$multi_token$
| eval ping_error=case(
    like(_raw, "%Request Timeout%"), "Request_Timeout",
    like(_raw, "%Destination Host Unreachable%"), "Destination_Host_Unreachable")
| where isnotnull(ping_error) AND NOT like(_raw, "%x.y.z.net%")
| stats count as total_errors by _time, source
| timechart span=1h sum(total_errors) as total_errors by source

  
it creates a search string with only single backslashes but double back slashes..

source="C:\a\b\c\d\e\f f\e\g\ı-i-j\porty102"
| eval ping_error=case(
    like(_raw, "%Request Timeout%"), "Request_Timeout",
    like(_raw, "%Destination Host Unreachable%"), "Destination_Host_Unreachable")
| where isnotnull(ping_error) AND NOT like(_raw, "%x.y.z.net%")
| stats count as total_errors by _time, source
| timechart span=1h sum(total_errors) as total_errors by source

 

I've tried so many things but couldn't be able to solve it. 

Important Note:

In multiselect dropdown menu  elements are shown with their whole source adrees such as:

C:\a\b\c\d\e\f f\d\e\ı-i-j\porty102

Couldn't be able to show this also.


I can't change anything about splunk universal forwarders settings or the source adress because restrictions are so strict in the company.

Regards

Labels (5)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2024 06:08 PM

This is somewhat confusing.  Do you mean to say that you have a multiselect token that evaluates into the search expression shown in the first code box, or is that one of multiselect values?  If the former, I strongly suggest that you rethink the strategy because a user may well end up composing a token that evaluates into

|table source

index="myindex"

sourcetype="pinginfo"

source="C:\\a\\b\\c\\d\\e\\f f\\g\\h\\ı-i-j\\porty*"

|dedup source

This is probably not what the user wanted.

Regardless, if your really, really want double backslash - I really can't conjure up a good reason for that even in a Microsoft world, you need something like

index="myindex"

sourcetype="pinginfo"

source="C:\\\\a\\\\b\\\\c\\\\d\\\\e\\\\f f\\\\g\\\\h\\\\ı-i-j\\\\porty*"


|table source
|dedup source

 

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...