I am trying to setup an event action for my Pandion.
While posting the URL to browser, '?' sign is getting converted to %3F which is the HEX for '?' sign. This results in URL not passing the field values like source and dest IP.
If I delete the %3F and put ? sign again and hit refresh, then rerun it then it passes the values properly and Pandion is able to search the data.
URL mentioned in Workflow action:
https://IP_address/#/search/UUID?sip=$src_ip$&from_time=$_time$
Actual URL when it gets posted in another window:
https://IP_address/#/search/UUID%3Fsip=$src_ip$&from_time=$_time$
Do you see the change after ? Anyone else faced this while posting URL from workflow actions??
Can you paste your configuration as seen by btool?
./bin/splunk btool workflow_actions list <workflow action stanza name>
The one I just created doesn't exhibit the behavior you describe, and its btool output looks like:
[610627]
display_location = event_menu
fields = *
label = 610627
link.method = get
link.target = blank
link.uri = http://192.168.82.169/search?field=value
type = link
I ask for the btool
output to ensure there isn't some other configuration file taking precedence from the configuration you're looking at.
is there any ?
in https:///#/search/
?
I just updated my question. Thanks for looking in
It's https://IP_address/#/search/UUID?sip=$src_ip$&from_time=$_time$