- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Missing extra backslash in a "source" token to wor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I am relatively new to Splunk and creating dashboard with XML, so any recommendations and tips are greatly appreciated.
So I have a dashboard with a drop-down menu with a list of sources - I did this because we a have a weekly CSV report so the user can pick a file based on its date within the file name. When the panel relying on the "source" token to do the search, it's missing a backslash to work properly. The source code and explanation below.
Drop-down menu:
<input type="dropdown" token="source_csv" searchWhenChanged="true">
<label>Select a report week:</label>
<prefix>source=</prefix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>
index="example_reports" | chart count by source
</query>
</search>
</input>
So when a panel with the search below is done, nothing shows up because it's missing a backslash.
host="example_host" index="example_index" $source_csv$ | stats distinct_count(ip)
The search query comes out as:
host="example_host" index="example_index" source=D:\example\report-2018-12-25.csv | stats distinct_count(ip)
The issue is that the source value needs two backslashes for it to work:
source=D:\example\report-2018-12-25.csv
Is there anyway to get the token to have two backslashes to the directory with the token or search query? Thank you in advance.
I did search for solutions on this by adding |s$ and search string, but couldn't get it to work right...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the help of jazzypai and jkat54, the answer is below:
Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:
host="example_host" index="example_index" | rex field=source mode=sed "s/\\/\\\\/g" | chart count by source
Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the help of jazzypai and jkat54, the answer is below:
Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:
host="example_host" index="example_index" | rex field=source mode=sed "s/\\/\\\\/g" | chart count by source
Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, try this in your dynamic search that populates the drop down or prior to using the token in sub panels.
| rex mode=sed field=source "s/\\/\\/"
Or
| eval field=$source$
| rex mode=sed field=source "s/\\\/\\\\\\\/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello jkat54,
I tried both and they didn't work, I get a "Could not create search. Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
Is this the correct way to input the search in the drop-down panel? Thanks again.
host="example_host" index="example_index" | rex mode=sed field=source "s/\/\/"| chart count by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To troubleshoot, do the following (this works but just to explain the process);
| makeresults count=1
| eval source="D:\example\report-2015-05-05.csv"
| rex field=source mode=sed "s/\\\/\\\\\\\/g"
You'll see the result you desired, hopefully, I do.. But once your regex is confirmed then put it in your search and carry on.
I tried using the regex provided above and didn't see the result you wanted so it most likely wouldn't work even with your search provided.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much jazzypai! I got it to work with your rex line. Here is what I put in for the drop down search:
host="example_host" index="example_index" | rex field=source mode=sed "s/\\\/\\\\\\\/g" | chart count by source
Then it came out right for the search queries that used "source_csv" tokens! Thank you so much for the help and troubleshooting guys/gals! :'D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked out! Good job!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
