Solved: drop down menu with source

smolcj · ‎11-06-2012

Is it not possible to create a Drop Down menu populating source files as the input?
I have tried using both simple xml and advanced xml. the source filename is replaced in the view results but results are not obtained.

smolcj · ‎11-07-2012

ha, finally it worked with this regex.. if somebody knows much effective one please help..
..| rex mode=sed field=source "s/\\\{1}/\\\\\//g" | rex mode=sed field=source "s/\///g"

THANK YOU

View solution in original post

smolcj · ‎11-07-2012

ha, finally it worked with this regex.. if somebody knows much effective one please help..
..| rex mode=sed field=source "s/\\\{1}/\\\\\//g" | rex mode=sed field=source "s/\///g"

THANK YOU

smolcj · ‎11-15-2012

as i mentioned, i am using a dropdown box in this view.i.e. user will select a source from the dropdown box and he will get some statistics of that source, number of event bla bla bla... so i used this rex along with the search used to populate the dropdown box.
hop it helped you
thanks

splunkpoornima · ‎11-15-2012

hi smolcj

Actually i am also facing the same problem..i have created the view and i have the sources in the form of link lister

my doubt is in which piece of code we hav to use this above command

sowings · ‎11-06-2012

Hint: If you're searching for the source field, | metadata type=sources index=<index> is going to be much faster than index=main | top source. The latter has to search all of the data in the index, while the former only consults the metadata. Much less information is read from disk, and the search will be much faster.

smolcj · ‎11-15-2012

you are right.. replace is for onetime use.. thank you

Ayn · ‎11-07-2012

From the docs on replace: "Replaces a single occurrence of the first string with the second within the specified fields". You can't use replace. Use rex.

smolcj · ‎11-07-2012

i was wondering that when i am trying with replace command

    "...|replace *\* with *\\* in source" 

(asterisk followed by 2 or 4 slashes and then asterisk again)

, it worked well for first backslash.

'C:/folder/filename.txt' is replaced by 'C://folder/filename.txt' i wish it happened for the second slash also.

THANK YOU

Ayn · ‎11-07-2012

Like I said, you might need to play around a bit with the number of backslashes, due to the way Splunkweb handles things. Don't stop trying just because you got an error with that specific regex I showed you.

smolcj · ‎11-07-2012

Thanks Ayn , but i already tried it and i am getting an error. "Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."
But when i tried with replace *\* with *\\* in source, it worked for first backslash and i am playing around to make it happen for all the slashes
THANK YOU

Ayn · ‎11-07-2012

Something like

... | rex mode=sed field=source "s/\\/\\\\/g"

or similar should get you going. Splunkweb can be a bit tricky to work with when it comes to backslashes so you might need to apply more or less, but that's just a matter of playing around a bit 🙂

smolcj · ‎11-06-2012

so Do i have to use transformation for the source field? can u suggest the regex needed to transform the backslash in source file name to double backslash
thanks

sowings · ‎11-06-2012

Additionally, you will want to transform the 'source' field to accommodate Windows paths before setting it in the replacement token (i.e., as part of your search to populate the pulldown). See this answer for a helpful regex.

smolcj · ‎11-06-2012

I am sure about my search query as i used it with text box inputs and saved searches. now i inspected through 'jobs' as AYN suggested, there too i found the filepath as the issue. can u help me with a rex to replace sourcefilename.
i tried with '/s', as i am not good in rex, i am not able to debug the issue

Ayn · ‎11-06-2012

You can check what the search looks like if you choose the "Jobs" link to the upper right in splunkweb. There you can confirm if the search looks as it should or if there is something wrong with it.

smolcj · ‎11-06-2012

In my form i need a drop down box and a flaschart. the dropdown box is populated with source and by selecting the source a search is done and i should get a chart.
the search query used to populate drop down box is like
index=main sourcetype=* | top source
and it is populated with all the source values . good!.
then my search template is like
index=main source=$tokenusedindropdown$ mysearch| chart count by Field_PC
i am pretty sure than the query will work properly to obtain the chart. issue here is the filepath
single backslash on source filepath should replaced by double. i tried rex using 'sed' and 'sedcmd'
still not work
please help

Ayn · ‎11-06-2012

Could you explain more clearly what you're trying to do? What is replaced, what results are you talking about etc...

drop down menu with source

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!