topic How to escape all possible special characters in Splunk Search

How to escape all possible special characters

Thulasinathan_M — Wed, 30 Aug 2023 10:28:17 GMT

Hi Splunk Experts,

I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!!

Ex:

!@#$%^&*(){}|";:<>/\[]

I want them as below:

\!\@\#\$\%\^\&\*\{\}\|\"\;\:\<\>\/\\\[\]

Re: How to escape all possible special characters

gcusello — Wed, 30 Aug 2023 10:30:36 GMT

Hi @Thulasinathan_M,

if you always have a special char in the beginning of the token, you could add a backslash "\" as prefix to the token.

Ciao.

Giuseppe

Re: How to escape all possible special characters

Thulasinathan_M — Wed, 30 Aug 2023 11:31:23 GMT

Hi @gcusello, It can be anywhere in the text.

Re: How to escape all possible special characters

ITWhisperer — Wed, 30 Aug 2023 11:45:05 GMT

You could try replacing every special character with a backslash followed by that character.

In the following example, the token used in the title is set when the field is clicked. The token value is the contents of the second multi-value in the field, which has been hidden using CSS. (I tried using the replace in the token evaluation directly but it only seems to work on a field not a string.)

<panel depends="$alwayshide$"> <html> <style> #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] { display: none; } </style> </html> </panel> <panel id="escaped"> <table> <title>$escaped$</title> <search> <query>| makeresults | fields - _time | eval param="!@#$%^&*(){}|\";:<>/\\[]" | eval param=mvappend(param,replace(param,"([!@#$%^&*\{\}\|\";:<>\/\\\[\]])","\\\\\1"))</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <eval token="escaped">mvindex($click.value$,1)</eval> </drilldown> </table> </panel>

Re: How to escape all possible special characters

Thulasinathan_M — Wed, 30 Aug 2023 13:17:11 GMT

Thanks @ITWhisperer. This is exactly what I'm looking for, but my text comes from a token. If I do something like below, I get " Error in 'SearchParser': Mismatched ']'."

<init> <eval token="input">"!@#$%^&*(){}|\";:<>/\\[]"</eval> </init> <row> <panel depends="$alwayshide$"> <html> <style> #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] { display: none; } </style> </html> </panel> <panel id="escaped"> <table> <title>$escaped$</title> <search> <query>| makeresults | fields - _time | eval param="$input$" | eval param=mvappend(param,replace(param,"([!@#$%^&*\{\}\|\";:<>\/\\\[\]])","\\\\\1"))</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <eval token="escaped">mvindex($click.value$,1)</eval> </drilldown> </table> </panel> </row>

Re: How to escape all possible special characters

ITWhisperer — Wed, 30 Aug 2023 13:52:06 GMT

Try like this

<init> <set token="input">!@#$%^&*(){}|\";:<>/\\[]</set> </init> <row> <panel depends="$alwayshide$"> <html> <style> #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] { display: none; } </style> </html> </panel> <panel id="escaped"> <table> <title>$escaped$</title> <search> <query>| makeresults | fields - _time | eval param=$input|s$ | eval param=mvappend(param,replace(param,"([!@#$%^&*\{\}\|\";:<>\/\\\[\]])","\\\\\1"))</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <eval token="escaped">mvindex($click.value$,1)</eval> </drilldown> </table> </panel> </row>

Re: How to escape all possible special characters

Thulasinathan_M — Wed, 30 Aug 2023 16:10:28 GMT

Thanks, worked perfectly.