Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Modify Multiselect Dropdown Menus for Index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Modify Multiselect Dropdown Menus for Indexes and Backslashes Using Tokens in Splunk
Hello Splunkers,
I started to use splunk uni forwarder in my job and I am kinda new to systems.
My dashboard working good with standart ALL option in multiselection but when it comes to select multiple indexes from menu I've got a huge problem.
My multiselect search index is:
index="myindex"
sourcetype="pinginfo"
source="C:\\a\\b\\c\\d\\e\\f f\\g\\h\\ı-i-j\\porty*"
|table source
|dedup source
but when I pass this token to reports as:
$multi_token$
| eval ping_error=case(
like(_raw, "%Request Timeout%"), "Request_Timeout",
like(_raw, "%Destination Host Unreachable%"), "Destination_Host_Unreachable")
| where isnotnull(ping_error) AND NOT like(_raw, "%x.y.z.net%")
| stats count as total_errors by _time, source
| timechart span=1h sum(total_errors) as total_errors by source
it creates a search string with only single backslashes but double back slashes..
source="C:\a\b\c\d\e\f f\e\g\ı-i-j\porty102"
| eval ping_error=case(
like(_raw, "%Request Timeout%"), "Request_Timeout",
like(_raw, "%Destination Host Unreachable%"), "Destination_Host_Unreachable")
| where isnotnull(ping_error) AND NOT like(_raw, "%x.y.z.net%")
| stats count as total_errors by _time, source
| timechart span=1h sum(total_errors) as total_errors by source
I've tried so many things but couldn't be able to solve it.
Important Note:
In multiselect dropdown menu elements are shown with their whole source adrees such as:
C:\a\b\c\d\e\f f\d\e\ı-i-j\porty102Couldn't be able to show this also.
I can't change anything about splunk universal forwarders settings or the source adress because restrictions are so strict in the company.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is somewhat confusing. Do you mean to say that you have a multiselect token that evaluates into the search expression shown in the first code box, or is that one of multiselect values? If the former, I strongly suggest that you rethink the strategy because a user may well end up composing a token that evaluates into
|table source
index="myindex"
sourcetype="pinginfo"
source="C:\\a\\b\\c\\d\\e\\f f\\g\\h\\ı-i-j\\porty*"
|dedup sourceThis is probably not what the user wanted.
Regardless, if your really, really want double backslash - I really can't conjure up a good reason for that even in a Microsoft world, you need something like
index="myindex"
sourcetype="pinginfo"
source="C:\\\\a\\\\b\\\\c\\\\d\\\\e\\\\f f\\\\g\\\\h\\\\ı-i-j\\\\porty*"
|table source
|dedup source
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
