Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When creating a dashboard to create a list of windows log sources how do you get it to escape the \ characters within the dashboard

mux
Explorer
‎10-23-2015 08:20 AM

When doing this via the search bar index=xxxx | chart count by source, when you select a source in search it automatically adds in the extra escape character \ in front of the file locations \, when doing it from a dashboard it does not add the extra slashes so it cannot find the source files. On search the search will look like this \\file\\location\\here when clicking on a source file that says \file\location\here, from the dashboard it keeps the original format \file\location\here and it cannot find the source because Splunk interprets the \ character.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-27-2015 05:53 AM

@mux, would you share with us a sanitized version of the panel's base search?

I ask because I tried this scenario on 6.2.6 but it worked as desired - therefore I was unable to reproduce the behavior you saw :(.

BTW: Back in the day, I used to produce a list of Windows sources by using this search (below). I realize you're not asking for it, but I wanted to take this opportunity to share it as the metadata command performs so much better. This search (below) finds all sources and then filters to only those who's source field starts with a letter (upper or lower) then a colon and then a slash. You can modify if you're also likely to have network paths.

| metadata index=* type=sources
 | regex source="^[A-z]\:\\\\"
0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-23-2015 09:08 AM

Hi @mux,
What version of the software are you using?
Thanks!

0 Karma
Reply

mux
Explorer
‎10-23-2015 12:04 PM

We are currently running 6.1.6

Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎10-23-2015 01:29 PM

Hey @mux,
Would this suggestion (wrapping the query in CDATA or encoding characters) in an earlier answers post be any help?

https://answers.splunk.com/answers/103335/drilldown-of-reports-not-working-as-expected-under-dashboa...

I will run this by our engineering team. This may be a bug that was fixed in later versions...
I'll report back!
@frobinson_splunk

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-23-2015 08:50 AM

The Answers site also has some issues with interpreting backslashes in posts, which isn't helping. To get the backslash characters in string literals to appear on Answers.splunk.com at all, it's easiest to enclose the entire string in backtick chars (just left of the "1" on a US keyboard).

I took the liberty of going in and repairing your question so your backslashes become visible.

To restate, you're finding that when you click a dashboard element (a chart or a table presumably), and the key value pair you're clicking on has backslashes like in source="C:\foo\bar\baz", that Splunk takes you to the search page but it fails to add the extra backslashes. I actually cannot reproduce this in 6.3 dashboard.

Can you confirm that I have the summary right above, as well as give more detail around where exactly it's happening?

0 Karma
Reply

mux
Explorer
‎10-23-2015 12:08 PM

What I am trying to do is create a dashboard for an application team that lists all the windows logs files so they can select the one they want to look at easier. What happens is if you do the search via the search bar, and then click one of the sources listed on the side under sources, Splunk automatically adds in the extra \ to the windows log path so that the source can be found. Within the dashboard running the same command and selecting the source Splunk does not add in the extra \ character to the windows logs files so when it searches for source file it cannot find as it sees the \ as the escape character instead of the source path.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-23-2015 08:27 AM

I do not understand your question but sometimes it takes 3 back slashes to get it to work so try that.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...