Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query Fails When I use '/' in Query

pramit46
Contributor
‎11-20-2017 01:13 AM

I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23

It shows "No Results Found"

But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pramit46
Contributor
‎11-20-2017 02:41 AM

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pramit46
Contributor
‎11-20-2017 02:41 AM

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 01:38 AM

Hi pramit46,
Use brackets

index="idx" sourcetype="st" host="host" Port="1/0/23"

otherwise use regex command

| regex "1\/0\/23"

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 02:11 AM

I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 02:50 AM

Yes quotes!
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 01:17 AM

Please try this.

index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)
0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 02:12 AM

I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 02:27 AM

Hi @pramit46,

You can set custom drilldown on that panel.

Can you please try below code in panel drilldown?

 <drilldown>
          <link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>

Change drilldown token "$row.Port$" as per your requirement.

Thanks

Reply
Solved! Jump to solution

pramit46
Contributor
‎11-20-2017 10:56 PM

I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...