Splunk Search

slash error in the source

splunkpoornima
Communicator

hi all

i have created the view contains the dropdown for index and if i select the index i will get all the sources in that index like below

alt text

then if i select the any source i takes me to the search app as

alt text

here the source contains only one single backslash ..but i need double back slash in my source

This is the rough piece of code i have used ..to get the double slash in my source please tel help at what place i have to modify the code ..


Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.


which index
index_setting
| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index
True
main


index
index

<module name="ConvertToIntention">
  <param name="settingToConvert">index_setting</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
      <param name="index">
        <param name="fillOnEmpty">True</param>
        <param name="prefix">index=</param>
        <param name="value">$target$</param>
      </param>
    </param>
  </param>

  <module name="HiddenSearch">
    <param name="search">| metadata type=sources $index$</param>
    <module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
      <param name="entityName">results</param>
      <param name="headerFormat">Sources (%(count)s)</param>
    </module>
  </module>

  <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources $index$</param>
param name="applyOuterIntentionsToInternalSearch">True</param>
          <param name="settingToCreate">list1</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>
        <module name="HiddenSearch">
             <param name="search"> source=$pub$| transaction TaskBP startswith=START endswith=Succeeded </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param>

             <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">stringreplace</param>
              <param name="arg">
             <param name="pub">
              <param name="value">$target$</param> 
                </param>             
              </param>
              </param>
              <!-- tells the addterm intention to put our term in the first search clause no matter what. -->
              <param name="flags"><list>indexed</list></param> 

thanks in advance

poornima

Tags (2)
0 Karma
1 Solution

smolcj
Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

View solution in original post

0 Karma

smolcj
Builder
|rex mode=sed field=source  "s/\\\{1}/\\\\\//g" | rex mode=sed field=source  "s////g" 

use this regex instead

0 Karma

Ayn
Legend

Awesome 🙂

0 Karma

splunkpoornima
Communicator

hi guys,

finally i tried |rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s/\///g"

it works properly...

thanks all of of you ...

0 Karma

smolcj
Builder

cool, now you can write a gex to replace the front slash to backslash |rex mode=sed field=source "s/\///g" i.e. "sfrontslashbackslashfrontslashfrontslashfrontslashg"
because of the formatting done by splunkbase backslash in second place i skipped.. read it and replace those words with corresponding slashes
thank you

0 Karma

splunkpoornima
Communicator

hi ayn,

now i am getting lik below

source=C:\/Users\/20875\/Desktop\/TaskManager\/TaskManager_all.txt | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Ayn
Legend

You need to add the rex statement to the populating search in your SearchLinkLister (the one using the metadata command).

0 Karma

splunkpoornima
Communicator

Hi Ayn ,

i tried ..but i get in the search app i got

source=C:\Users\20875\Desktop\TaskManager\TaskManager_all.txt | rex mode=sed field=source "s/\{1}/\\\//g" | transaction TaskBP startswith=START endswith=Succeeded

0 Karma

Ayn
Legend

The second rex statement in the answer is empty - I don't know what the idea is there, but I think you should just remove it and use only the first rex statement. See what it gives you.

0 Karma

splunkpoornima
Communicator

hi all

i tried since i am getting the error

0 Karma

sruthy
Explorer

i think the regex in comment is missing some slashes, can you try with the one posted in answer.

0 Karma

splunkpoornima
Communicator

hi smolcj ...thanks for your response i actually did what u have quoted it shows some error like

PARSER: Applying intentions failed Error in 'rex' command: Failed to initialize sed. Empty regular expression.

Encountered an unexpected error while parsing intentions.

0 Karma

smolcj
Builder


source=$pub$|rex mode=sed field=source "s/\{1}/\\\//g" | rex mode=sed field=source "s////g"| transaction TaskBP startswith=START endswith=Succeeded
i think this will work
thank you

0 Karma

splunkpoornima
Communicator

i have searchLinkLister and also the Hiddensearch ..does i have to use the command in both the places??? or oly in hiddensearch

0 Karma

Ayn
Legend

In your search.

0 Karma

splunkpoornima
Communicator

actually in the above code where to insert this

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

Poornima,

One option is to change the format of sources returned in your query rather than trying to change it when it is clicked.

Change this search:
| metadata type=sources $index$

to this:
| metadata type=sources $index$ | rex mode=sed field=source "s/\{1}/\\\//g"

splunkpoornima
Communicator

hi Okrabbe

Thanks for your answer ..

as u said i changed the query as above in both places in( Hidden search and also in the searchLinkLister) but still it is not coming

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...