In my dashboard, i display log messages in a table. There are logs which has double quotes. I use custom drilldown to goto search app.
Now when i click messages with double quotes, I get unbalanced quotes error. I can escape in search app with a slash and it works. But if i use eval - replace in my dashboard to add a slash, that slash is escaped automatically by splunk and i get \" instead of \".
I know i can remove double quotes in my dashboard to make it work, but im looking to escape the quotes in-order to show users accurate error messages
Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz
as well as this "has some doublequotes" in it
will end up searching on the wrong thing or will fail with parse errors.
Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue
$foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue
equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)
Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz
correctly, it forgets that double-quote characters are equally problematic.
I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.
Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz
as well as this "has some doublequotes" in it
will end up searching on the wrong thing or will fail with parse errors.
Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue
$foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue
equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)
Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz
correctly, it forgets that double-quote characters are equally problematic.
I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.
For the sake of new splunkers,
I'm using Core Splunk module SimpleResultsTable. But with the addition of SV (Side View utils), i can access special fields like $click.fields.msg$. they are called $foo$ tokens
if you have SV installed go to
http://
http://
for more information
Thanks Nick, let me know when this is available. I am really surprised that nobody asked about this in splunk so far. I feel its such a basic requirement.
Use " instead of the quote in your search expression in xml
@drainy
Non Function error : <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.x
im displaying this under field msg.Im passing this value in drilldown search as msg="$click.fields.msg$". Now my search is failing with "unbalanced quote" error
Could you post a couple of example events?
create a proper REGEX for the items inside the "" and extract the value
have u tried extract field option?
note: im using SimpleResultsTable with
$click.fields.field_name$