Essentially I have a working search but in the original data the username field is populated with a "
Anyone have any suggestions on how to manage this?
Original strings:
<![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user]]>
...
Application
Count
bar
...
Try this:
<populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
<![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user
| eval src_user_label = replace(src_user,"\\","\\\\") ]]>
</populatingsearch>
<chart>
...
<title>Applications</title>
<searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>
This should give you 2 fields for the drop-down: src_user
, which you can use for your search, and src_user_label
. src_user_label
is the same field, but is in the form <domain>\\<username>
instead of <domain>\<username>
You have to double up on the \ because the replace function uses regular expressions.
Try this:
<populatingsearch fieldforvalue="src_user" fieldforlabel="src_user_label">
<![CDATA[sourcetype=pan_traffic earliest=-24h | stats count by src_user
| eval src_user_label = replace(src_user,"\\","\\\\") ]]>
</populatingsearch>
<chart>
...
<title>Applications</title>
<searchtemplate>sourcetype=pan_traffic src_user="$username$" host="$site$" | top application</searchtemplate>
This should give you 2 fields for the drop-down: src_user
, which you can use for your search, and src_user_label
. src_user_label
is the same field, but is in the form <domain>\\<username>
instead of <domain>\<username>
You have to double up on the \ because the replace function uses regular expressions.
Ah - thank goodness for the missing slashes - I just inserted them for you. They make the following answer possible!
In this case yes, if it's not too hard i'd like to keep domain agnosic ie if i had to package this to allow for any domain.
I just noticed the slashes are missing from my post note there's supposed to be a slash between
Is it a known list of domains?