Solved: Splunk Query Fails When I use '/' in Query

pramit46 · ‎11-20-2017

I have a query as follows:
index="idx" sourcetype="st" host="host" |search Port=1/0/23

It shows "No Results Found"

But I know there are more than 1 events available for the Port 1/0/23. which show up when I remove the "search filter" part and run it in verbose mode.
I think it is ignoring the value due to that '/'
Any idea how to handle this?

pramit46 · ‎11-20-2017

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

View solution in original post

pramit46 · ‎11-20-2017

I read this trick somewhere and it worked for me:

index="idx" sourcetype="st" host="host"
| eval Port_str=toString(Port)
| search Port_str="1/0/44"

Now all I have to do is to use the drill-down parameter instead of "1/0/44" (just make sure you keep the quotes even around the parameter field name e.g.: "$parameter$")

gcusello · ‎11-20-2017

Hi pramit46,
Use brackets

index="idx" sourcetype="st" host="host" Port="1/0/23"

otherwise use regex command

| regex "1\/0\/23"

Bye.
Giuseppe

pramit46 · ‎11-20-2017

I guess you meant quotes, not bracket. If that is the case, then I already tried that too but did not help either.
I am not sure how I can use regex since I am receiving this value from another panel as part drilldown in that panel. If you have any clue on this, then please let me know I'll try that for sure.

gcusello · ‎11-20-2017

Yes quotes!
Bye.
Giuseppe

kamlesh_vaghela · ‎11-20-2017

Please try this.

index="idx" sourcetype="st" host="host" |search (Port=1 OR Port=0 OR Port=23)

pramit46 · ‎11-20-2017

I am supposed to get this value from another panel as part of drilldown. so I'm not sure how to apply your approach.

kamlesh_vaghela · ‎11-20-2017

Hi @pramit46,

You can set custom drilldown on that panel.

Can you please try below code in panel drilldown?

 <drilldown>
          <link target="_blank">search?q=index="idx" sourcetype="st" host="host" [ | makeresults | eval Port="$row.Port$" | eval Port=split(Port,"/") | mvexpand Port | table Port | return 5 Port ]&amp;earliest=-24h@h&amp;latest=now</link>
        </drilldown>

Change drilldown token "$row.Port$" as per your requirement.

Thanks

pramit46 · ‎11-20-2017

I did not try this but I think this would also work. But since the trick I found out yesterday seemed less work, I chose that. But yes, I think this would also work. I liked this idea and may use this in future if needed. thanks a lot @kamlesh_vaghela

Splunk Query Fails When I use '/' in Query

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases