When doing this via the search bar index=xxxx | chart count by source, when you select a source in search it automatically adds in the extra escape character \
in front of the file locations \
, when doing it from a dashboard it does not add the extra slashes so it cannot find the source files. On search the search will look like this \\file\\location\\here
when clicking on a source file that says \file\location\here
, from the dashboard it keeps the original format \file\location\here
and it cannot find the source because Splunk interprets the \
character.
@mux, would you share with us a sanitized version of the panel's base search?
I ask because I tried this scenario on 6.2.6 but it worked as desired - therefore I was unable to reproduce the behavior you saw :(.
BTW: Back in the day, I used to produce a list of Windows sources by using this search (below). I realize you're not asking for it, but I wanted to take this opportunity to share it as the metadata
command performs so much better. This search (below) finds all sources and then filters to only those who's source field starts with a letter (upper or lower) then a colon and then a slash. You can modify if you're also likely to have network paths.
| metadata index=* type=sources
| regex source="^[A-z]\:\\\\"
Hi @mux,
What version of the software are you using?
Thanks!
We are currently running 6.1.6
Hey @mux,
Would this suggestion (wrapping the query in CDATA or encoding characters) in an earlier answers post be any help?
I will run this by our engineering team. This may be a bug that was fixed in later versions...
I'll report back!
@frobinson_splunk
The Answers site also has some issues with interpreting backslashes in posts, which isn't helping. To get the backslash characters in string literals to appear on Answers.splunk.com at all, it's easiest to enclose the entire string in backtick chars (just left of the "1" on a US keyboard).
I took the liberty of going in and repairing your question so your backslashes become visible.
To restate, you're finding that when you click a dashboard element (a chart or a table presumably), and the key value pair you're clicking on has backslashes like in source="C:\foo\bar\baz"
, that Splunk takes you to the search page but it fails to add the extra backslashes. I actually cannot reproduce this in 6.3 dashboard.
Can you confirm that I have the summary right above, as well as give more detail around where exactly it's happening?
What I am trying to do is create a dashboard for an application team that lists all the windows logs files so they can select the one they want to look at easier. What happens is if you do the search via the search bar, and then click one of the sources listed on the side under sources, Splunk automatically adds in the extra \ to the windows log path so that the source can be found. Within the dashboard running the same command and selecting the source Splunk does not add in the extra \ character to the windows logs files so when it searches for source file it cannot find as it sees the \ as the escape character instead of the source path.
I do not understand your question but sometimes it takes 3 back slashes to get it to work so try that.