Solved: populating input dropdown with regex search

eddychuah · ‎11-10-2017

Hi splunk community, am trying to populating input dropdown with results from regex search and i'm fairly sure it's my usage syntax

any help is appreciated;

  <input type="dropdown" token="field1">
    <label>field1</label>

                          <populatingSearch fieldForLabel="name" fieldForValue="name">sourcetype="error log" | rex field=_raw "(<StatusCode>)(?<code>\d+)(</ns0:StatusCode>)"|top code</populatingSearch>

      <earliest>$test.earliest$</earliest>
      <latest>$test.latest$</latest>
  </input>

i keep receiving error on my regex line: Unexpected close tag

and there's nothing wrong with the regex statement, i've tested it in the main search and it correctly extrapolates the data that i want into new afore stated variable

thanks in advance

eddychuah · ‎11-10-2017

hi again @niketnilay! yes you are absolutely correctly;
- i should have informed the version i'm using, rookie mistake coming from a old prod support guy lol (am using 6.6.3
- this is indeed legacy command, however try as i might with the example syntax provided from splunk examples it didnt work because.......

yes i'm digging through SOAP tags so since we are already working in XML form in Splunk, have to further "string-ify" the query string so i did this instead

field1

    <default>*</default>
        <choice value="*">All</choice>
        <fieldForLabel>code</fieldForLabel>
        <fieldForValue>code</fieldForValue>
        <search>
            <query>
              <![CDATA[index=main sourcetype="error log"  | rex "(<ns0:StatusCode>)(?<code>\d+)(</ns0:StatusCode>)"|top code]]> 

             <!-- <![CDATA[index=main | stats count by code]]>-->
            </query>
            <earliest>-24h</earliest>
            <latest>now</latest>
        </search>

View solution in original post

eddychuah · ‎11-10-2017

hi again @niketnilay! yes you are absolutely correctly;
- i should have informed the version i'm using, rookie mistake coming from a old prod support guy lol (am using 6.6.3
- this is indeed legacy command, however try as i might with the example syntax provided from splunk examples it didnt work because.......

yes i'm digging through SOAP tags so since we are already working in XML form in Splunk, have to further "string-ify" the query string so i did this instead

field1

    <default>*</default>
        <choice value="*">All</choice>
        <fieldForLabel>code</fieldForLabel>
        <fieldForValue>code</fieldForValue>
        <search>
            <query>
              <![CDATA[index=main sourcetype="error log"  | rex "(<ns0:StatusCode>)(?<code>\d+)(</ns0:StatusCode>)"|top code]]> 

             <!-- <![CDATA[index=main | stats count by code]]>-->
            </query>
            <earliest>-24h</earliest>
            <latest>now</latest>
        </search>

niketn · ‎11-10-2017

Seems like you are trying to parse XML data for field extraction. You should consider the following for extraction data from XML
1) Use of KV_MODE=xml for automatic Search Time Field Discovery from XML data, provided events are always XML. (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration)
2) spath command for parsing and extraction XML data. (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath)

Does your XML node StatusCode look like the following?

<StatusCode>12345</ns0:StatusCode>

If yes you should try the following rex command instead:

sourcetype="error log" 
| rex "<StatusCode>(?<code>\d+)<\/ns0:StatusCode>"
| top code

PS: while saving to dashboard it < and > should be escaped

| rex "<StatusCode>(?<code>\d+)&quot;\/ns0:StatusCode&quot;"

I was also curious on the version of Splunk you are using, since populatingSearch is legacy command, you should be using <search> with <query> <earliest> and <latest> and tokens should be set using <fieldforvalue> and <fieldforlabel> respectively.

So you final dropdown input code should look like the following:

    <input type="dropdown" token="field1">
      <label>field1</label>
      <fieldForLabel>code</fieldForLabel>
      <fieldForValue>code</fieldForValue>
      <search>
        <query>sourcetype="error log" earliest=$test.earliest$ latest=$test.latest$
| rex "&lt;StatusCode&gt;(?&lt;code&gt;\d+)&lt;\/ns0:StatusCode&gt;"
|top code
        </query>
      </search>
    </input>

https://docs.splunk.com/Documentation/Splunk/latest/Viz/Buildandeditforms

[UPDATE], just noticed that & lt ; got escaped as < while trying to post answer. Trying an update to fix the same. Can you try the query from the final example? Ideally with this CDATA would not be required since special characters are already escaped. No need to stress though as you already have a working solution 🙂
PS: In your question you had used time tokens for earliest and latest, so I had included earliest=$test.earliest$ latest=$test.latest$ in the base search. Please include the same as your current search runs for 24 hours static time.
Also if you are trying to apply rex on _raw data, then field=_raw is optional.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kamlesh_vaghela · ‎11-10-2017

Hi

Can you please update your XML code?

<populatingSearch fieldForLabel="name" fieldForValue="name">sourcetype="error log" | rex field=_raw "(>StatusCode<)(?>code<\d+)(>/ns0:StatusCode<)"|top code</populatingSearch>

Thanks

eddychuah · ‎11-10-2017

hi kamlesh, this did not work

additionally the <> is part of the text that i'm looking for and it's not a regex char, so, i do not believe that's where the break is

populating input dropdown with regex search

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services