I’m looking for a information with respect to drilldown here.
The following is the drilldown query
/app/XXXXXX/flashtimeline?q=sourcetype= "XXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]+:(?<src_ip>\d+.\d+.\d+.\d+)/(?<src_port>[a-zA-Z0-9]+)\s+to\s+[\w\d-.]+:(?<dest_ip>\d+.\d+.\d+.\d+)/(?<dest_port>[a-zA-Z0-9]+)" | search src_ip="$row.Source Address$"
But when I click on the drill down via the Dashboard , the query transforms like below.
sourcetype= "XXXXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]/ :(?
If you notice this all the “+” characters from the regex are removed when we click on the drill downs.
I tried adding both backslash and forward slash for escaping the “+”. But it dint work out and the same issue still exists.
Can you please suggest us a way to overcome this issue?
You might try wrapping the whole link in CDATA.
<link>
<![CDATA[ <search string> ]]>
</link>
If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.
You might try wrapping the whole link in CDATA.
<link>
<![CDATA[ <search string> ]]>
</link>
If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.
Hi Sowings,
Substituting %2b fixed this issue. Thanks