Dashboards & Visualizations

Seems like a bug - why can't I include greater than or less than in search spawned from drilldown?

briancronrath
Contributor

Use this dashboard simplexml as a repro if you'd like:

<dashboard>
  <label>bug_repro</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval test="test"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=|makeresults | eval test="$row.test$" | rex field=test "(?&lt;testxtract&gt;.*)"&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

I'm on Splunk 7 by the way. This is just a simple example to illustrate what I see as a aggravating bug I'm running into. I need to be able to generate rex for a clickthrough search in a dashboard of mine but I can find no workaround for this, as splunk rex seems to only allow named capture groups for extracting a field and the only way to do that is by using greater than or less than characters, which seem to just not be handled at all by the clickthrough functionality. Anyone have any ideas on how I can get a gt or lt character to work in a spawned search from a clickthrough?

Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @briancronrath,

Can you please try this?

<dashboard>
   <label>bug_repro</label>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults | eval test="test"</query>
           <earliest>-15m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank">search?q=|makeresults | eval test="$row.test$" | rex field=test "(%3f%3ctestxtract%3e.*)"&amp;earliest=-15m&amp;latest=now</link>
         </drilldown>
       </table>
     </panel>
   </row>
 </dashboard>

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @briancronrath,

Can you please try this?

<dashboard>
   <label>bug_repro</label>
   <row>
     <panel>
       <table>
         <search>
           <query>|makeresults | eval test="test"</query>
           <earliest>-15m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank">search?q=|makeresults | eval test="$row.test$" | rex field=test "(%3f%3ctestxtract%3e.*)"&amp;earliest=-15m&amp;latest=now</link>
         </drilldown>
       </table>
     </panel>
   </row>
 </dashboard>

briancronrath
Contributor

Looks like this method of escaping does work!

0 Karma

nryabykh
Path Finder

Try to insert this line in link tag:

search?q=| makeresults | eval test="$row.test$" | rex field=test "(%3F&lt;testxtract&gt;.*)"&amp;earliest=-15m&amp;latest=now

It works fine for me. The point is that you need to escape both < > in XML (with &lt; and &gt;) and ? & in URL (with %3F and &amp;).

0 Karma

elliotproebstel
Champion

How about creating a macro with the rex extraction you need, and you can reference the macro in your drilldown code?

0 Karma

spayneort
Contributor

This works for me:

<dashboard>
  <label>bug_repro</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval test="test"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=|makeresults | eval test="$row.test$"| rex field=test "(%3F<testxtract>.*)"&amp;earliest=$earliest$&amp;latest=$latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

briancronrath
Contributor

How are you able to save that dashboard? It gives me a "Error parsing XML on line 18: Premature end of data in tag dashboard line 1 (essentially because line 13 has those characters in it)

0 Karma

briancronrath
Contributor

was able to find a workaround by using sed mode for rex. Which was also annoying because the "+" character just shows up as a space when using the clickthrough, so I had to further workaround find a way to make it work with a "*" character which seems to be one it can actually handle. In the meantime though this definitely seems like clickthrough generated searches are quite buggy, no? Several characters it just can't handle at all. I should also note that after you use these characters and save it through the UI, trying to ever edit that drilldown through the UI again is a mistake because it will delete most of your search and unless you catch that it's doing that, you'll lose everything you worked on.

0 Karma

briancronrath
Contributor

I should also add since I didn't clarify it properly in the original post - the main issue with my original post is that when you click the link generated from the click through, the search is completely cut off past that first less than symbol

0 Karma

philipmattocks
Path Finder

Hi,

Can you try using CDATA in your link, something like:

      <link target="_blank"><![CDATA[
  search?q=|makeresults | eval test="$row.test$" | rex field=test "(?<testxtract>.*)"&amp;earliest=-15m&amp;latest=now
]]></link>

Did that help?

0 Karma

briancronrath
Contributor

Unfortunately not, same thing happens where when you click the link the search that spawns spawns nothing past the first less than character

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...