topic Re: Why does my drilldown with the rex command return an "Unbalanced quotes" error? in Splunk Search

Why does my drilldown with the rex command return an "Unbalanced quotes" error?

damucka — Tue, 27 Nov 2018 14:00:29 GMT

Hello,

I have the following drilldown in my dashboard panel:

          <link target="_blank"><![CDATA[search?q=index=mlbso sourcetype=$SYSID$_hanatraces earliest=$earliesttime$ latest=$latesttime$ [search index=mlbso sourcetype=$SYSID$_hanatraces  "ALTER SYSTEM ALTER CONFIGURATION" earliest=$earliesttime$ latest=$latesttime$ | rex field=_raw "(?i)(?<=configuration is changed by )(?P<CONNECTION_ID>(?s)(.*))(?=, client ip)" | return $CONNECTION_ID]]]></link>

When I execute it, I get the following search string presented and an "Unbalanced quotes" error:

index=mlbso sourcetype=BWP_hanatraces earliest=1543313122.531 latest=1543313122.537 [search index=mlbso sourcetype=BWP_hanatraces  "ALTER SYSTEM ALTER CONFIGURATION" earliest=1543313122.531 latest=1543313122.537 | rex field=_raw "(

How would I overcome this issue?

Kind Regards,

Kamil

Re: Why does my drilldown with the rex command return an "Unbalanced quotes" error?

MathiasLindblom — Tue, 27 Nov 2018 14:33:52 GMT

Hi, seems like the question mark is messing things up, replace all the question marks with %3F:

<link target="_blank">    <![CDATA[search?q=index=mlbso sourcetype=$SYSID$_hanatraces earliest=$earliesttime$ latest=$latesttime$ [search index=mlbso sourcetype=$SYSID$_hanatraces  "ALTER SYSTEM ALTER CONFIGURATION" earliest=$earliesttime$ latest=$latesttime$ | rex field=_raw "(%3Fi)(%3F<=configuration is changed by )(%3FP<CONNECTION_ID>(%3Fs)(.*))(%3F=, client ip)" | return $CONNECTION_ID]]]></link>

Re: Why does my drilldown with the rex command return an "Unbalanced quotes" error?

damucka — Tue, 27 Nov 2018 14:55:24 GMT

Thank you, it works.