How to replace single backslash (\) with double ba...

sureshmurgan · ‎05-27-2019

Base Search:
We are fetching the data from the field named WMIError as given below,

WMIError="Unable to connect to root\cimv2*" (This is taken as the input value for the subsearch as a drill down)

      <set token="WMI">$row.WMIError$</set>       (Here it is taken as the input)

Subsearch (Drilldown) :

  <title>Host details for $WMI$"</title>
   <table>
    <search>
     ADSite_Membership="$WMI$"
    </search>
  </table>
</panel>

It is not resulting anything as the token value has a backslash to it (Unable to connect to root\cimv2).

How to replace single backslash () with double back slash(\) from this token before searching from here? Any help is appreciated.

woodcock · ‎05-27-2019

Change your drilldown search from this:

  ADSite_Membership="$WMI$"

To this:

| makeresults 
| eval value="$WMI$"
| map search="search ADSite_Membership=\"$$value$$\""

BTW, you should never, ever Ever, EVER rely on indexes_searched_by_default in your production stuff.

sureshmurgan · ‎06-06-2019

This didn't work on my first attempt, will try this as well. Thanks Wood!

woodcock · ‎06-09-2019

I actually tested it and it worked for me on 7.2.something.

sureshmurgan · ‎05-27-2019

Here's the entire source code for better understanding. Here drilldown is not returning any result because base search result has one backslash to it. We need to somehow change the resulting value in the base search which is the input for drill down, to replace \ to \ and it should happen automatically when we click on the resulting base search row value where it only has single backslash, ( WMIError="Unable to connect to root\cimv2"). Need some modification in the drill down search.

Time

 <earliest>-24h@h</earliest>
 <latest>now</latest>






 <search>
   <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="Unable to connect to root\\cimv2*" 

           |dedup host
           |stats count(host) as #Hosts by WMIError

           |sort 0 - #Hosts
           |addcoltotals #Hosts</query>
   <earliest>$field1.earliest$</earliest>
   <latest>$field1.latest$</latest>
   <sampleRatio>1</sampleRatio>
 </search>
 <option name="count">20</option>
 <option name="dataOverlayMode">none</option>
 <option name="drilldown">cell</option>
 <option name="percentagesRow">false</option>
 <option name="rowNumbers">false</option>
 <option name="totalsRow">false</option>
 <option name="wrap">true</option>
 <drilldown>
   <set token="WMI">$row.WMIError$</set>
 </drilldown>







 <search>
   <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="$WMI$"
          |convert ctime(_time) as Time timeformat="%d-%m-%Y %H:%M:%S"
          |stats latest(WMIError) as WMIError values(Time) as Time BY host</query>
   <earliest>$field1.earliest$</earliest>
   <latest>$field1.latest$</latest>
 </search>

sureshmurgan · ‎05-27-2019

Here's the entire source code for better understanding. Here drilldown is not returning any result because base search result has one backslash to it. We need to somehow change the resulting value in the base search which is the input for drill down, to replace \ to \ and it should happen automatically when we click on the resulting base search row value where it only has single backslash, For eg : WMIError="Unable to connect to root\cimv2"

WMi Test

<input type="time" token="field1">
  <label>Time</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="Unable to connect to root\\cimv2*" 

              |dedup host
              |stats count(host) as #Hosts by WMIError

              |sort 0 - #Hosts
              |addcoltotals #Hosts</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <drilldown>
      <set token="WMI">$row.WMIError$</set>
    </drilldown>
  </table>
</panel>


<panel depends="$WMI$">
  <title>Host details for $WMI$</title>
  <table>
    <search>
      <query>index=sccm_uk source="C:\\Windows\\CCM\\Logs\\execmgr.log" sourcetype=WindowsCCMLogs host="*" WMIError="$WMI$"
             |convert ctime(_time) as Time timeformat="%d-%m-%Y %H:%M:%S"
             |stats latest(WMIError) as WMIError values(Time) as Time BY host</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
  </table>
</panel>

koshyk · ‎05-27-2019

I'm not sure if the reason is related to backslash,
but if you want single backslash to double, please do something like below

| eval WMIError = replace(WMIError, "\\\\","\\\\\\")

This will convert single to double backslash

sureshmurgan · ‎06-06-2019

This worked right when I added it to my base query.
Search result of the base query had an additional backslash but it fits the purpose. Thanks koshyk!

How to replace single backslash (\) with double back slash(\\) from a base search result which is a token value and it is used as an input for the sub search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!