topic Re: Using | rex with $ in Dashboards in Splunk Search

How to reliably use a | rex command in a dashboard?

bitnapper — Wed, 19 Apr 2023 21:17:28 GMT

Hi,

I regularly have the problem, that I save searches containing regexes with $ characters to a dashboard where they are then not showing any result. I guess I have to escape them somehow. It seems while saving them the $ characters are automatically duplicated but it that is supposed to be some kind of escaping its not working.

I could not find anything in the documentation but since there are plenty I was not shure where to look exactly. Can anyone tell me how to reliably use a | rex command in a dashboard?

| rex field=_raw "\s(?<hash>\S+)$"

Re: Using | rex with $ in Dashboards

gcusello — Tue, 18 Apr 2023 14:33:43 GMT

Hi @bitnapper,

$ in a regex means that you are at the end of the raw.

I found some problem escaping the \ (backslash) that's the escape char so sometimes instead using two backslashed I had to use threee of them, but I never found problems on $.

About use in a dashboard, insert your rehex in the search, test te search and save it in the dashboard.

If you directly insert a regex in a dashboard, remember to replace:

< with <
> with >

Ciao.

Giuseppe

Re: Using | rex with $ in Dashboards

bitnapper — Tue, 18 Apr 2023 15:15:45 GMT

Hi @gcusello,

I have never had issues with <> or / but regularly with $. Testing it in the search does not help since the issue is exactly that it works in the search but not in the dashboard. But thanks for explaning to me what $ does, I would not have guessed that and just thrown it into the mix because it looks good 😉

So is there a documentation about how Splunk Dashboards deal with searches and what escaping is necessary or not?

Kind Regards

btn

Re: Using | rex with $ in Dashboards

gcusello — Tue, 18 Apr 2023 15:23:00 GMT

Hi @bitnapper,

I usually test my regexes in regex101.com (that also explays the regexes!) and then I check them in Splunk.

In this way the only differences I experienced are backslashes.

Ciao.

Giuseppe

Re: Using | rex with $ in Dashboards

bitnapper — Tue, 18 Apr 2023 17:32:14 GMT

Hi @gcusello,

thank you for trying but your answer has nothing todo with my question. I'm not asking about regex per se , I want to know which escaping is neccessary in dashboards.

Re: Using | rex with $ in Dashboards

gcusello — Wed, 19 Apr 2023 07:35:44 GMT

Hi @bitnapper ,

in my experience the only differences in escaping in searching and dashboards is backslash, also because if you escape $ you don't ute the notation of enf or row.

Ciao.

Giuseppe

Re: Using | rex with $ in Dashboards

bitnapper — Wed, 19 Apr 2023 12:03:26 GMT

thanks for your guesses. still looking for a documentation.

Re: Using | rex with $ in Dashboards

gcusello — Wed, 19 Apr 2023 12:04:54 GMT

Hi @bitnapper,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Using | rex with $ in Dashboards

rut — Wed, 19 Apr 2023 17:30:25 GMT

Hi @bitnapper,

Assuming you're creating XML dashboards, you could also try using CDATA. Edit the dashboard (go to the raw view), go to the search that you want to edit and wrap it in CDATA. An example:

You can read more about cdata at MDN or wikipedia:

https://developer.mozilla.org/en-US/docs/Web/API/CDATASection

https://en.wikipedia.org/wiki/CDATA

Re: Using | rex with $ in Dashboards

bitnapper — Wed, 19 Apr 2023 19:50:44 GMT

Thanks @rut , thats acually helps.

I still don't understand why that happens. I write a search and from the search page I save to a new or existing dashboard. Shouldn't that be applied automatically?

Re: Using | rex with $ in Dashboards

rut — Wed, 19 Apr 2023 20:12:11 GMT

That’s a good question. When you save a search in the dashboard UI it gets stored encoded, e.g. Splunk translates > into > so the search doesn’t break the underlying XML. You can see this happening when you inspect the XML after editing a search.

This should work fine in most cases, but maybe something is happening with token replacements? Those also use $. What happens if you execute the search with the magnifying glass in the bottom of the panel, is the pattern still the same?

Re: Using | rex with $ in Dashboards

bitnapper — Wed, 19 Apr 2023 20:28:36 GMT

I don't have problems with tokens but I have encountered these problems with searches containing rex-commands with $ charachters. And those indeed get duplicated. So if I have something like | rex field=_raw "\s(?<x>\S+)$" after storing and then opening it again it has been converted to | rex field=_raw "\s(?<x>\S+)$$". Thats why I was asking for escaping $ characters but I'll test the CDATA tomorrow. It sounds very promising.