Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with an issue with a dashboard drilldown query?

stevegadd
Explorer
‎03-29-2019 05:50 AM

Any suggestions as to why the following drilldown just returns a blank page? It works just fine in normal search.

    <drilldown>
      <link target="_blank">
        <![CDATA[search?q=|inputlookup ActiveVulnerabilities where (AssetType="Computer") AND ((OS="Win*") OR (OS="Microsoft*")) AND (qid=$click.value$) AND (is_vm="0")| eval timeEpoch = strptime(firstFound, %Y-%m-%d)| eval initialEpoch = strptime("2018-01-01", "%Y-%m-%d")| eval endEpoch = strptime("2018-03-31", "%Y-%m-%d")| where timeEpoch &lt;= endEpoch AND timeEpoch &gt;= initialEpoch| lookup QualysHosts uniq_id OUTPUTNEW| `VulnTable`]]>
      </link>
    </drilldown>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-01-2019 11:30 AM

@stevegadd there are couple of things you need to take care:

1.timeEpoch = strptime(firstFound, is missing double quotes before and after strptime() format.

2. The strptime() time format has % character which needs to be escaped with corresponding URL Encoded character i.e. %25. However, after resolving in the drilldown the same needs to escape again with 25 suffixed as only % in URL would be passed. %Y would need to be written as %2525Y

Try the following <drilldown> code and confirm:

<drilldown>
  <link target="_blank">search?q=%7Cinputlookup%20ActiveVulnerabilities%20where%20(AssetType=%22Computer%22)%20AND%20((OS=%22Win*%22)%20OR%20(OS=%22Microsoft*%22))%20AND%20(qid=$click.value$)%20AND%20(is_vm=%220%22)%7C%20eval%20timeEpoch%20=%20strptime(firstFound,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20initialEpoch%20=%20strptime(%222018-01-01%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20endEpoch%20=%20strptime(%222018-03-31%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20where%20timeEpoch%20%3C=%20endEpoch%20AND%20timeEpoch%20%3E=%20initialEpoch%7C%20lookup%20QualysHosts%20uniq_id%20OUTPUTNEW%7C%20%60VulnTable%60</link>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-01-2019 11:30 AM

@stevegadd there are couple of things you need to take care:

1.timeEpoch = strptime(firstFound, is missing double quotes before and after strptime() format.

2. The strptime() time format has % character which needs to be escaped with corresponding URL Encoded character i.e. %25. However, after resolving in the drilldown the same needs to escape again with 25 suffixed as only % in URL would be passed. %Y would need to be written as %2525Y

Try the following <drilldown> code and confirm:

<drilldown>
  <link target="_blank">search?q=%7Cinputlookup%20ActiveVulnerabilities%20where%20(AssetType=%22Computer%22)%20AND%20((OS=%22Win*%22)%20OR%20(OS=%22Microsoft*%22))%20AND%20(qid=$click.value$)%20AND%20(is_vm=%220%22)%7C%20eval%20timeEpoch%20=%20strptime(firstFound,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20initialEpoch%20=%20strptime(%222018-01-01%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20endEpoch%20=%20strptime(%222018-03-31%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20where%20timeEpoch%20%3C=%20endEpoch%20AND%20timeEpoch%20%3E=%20initialEpoch%7C%20lookup%20QualysHosts%20uniq_id%20OUTPUTNEW%7C%20%60VulnTable%60</link>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

stevegadd
Explorer
‎04-01-2019 12:09 PM

Thanks. That did it

0 Karma
Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎03-29-2019 12:46 PM

It looks like mixing <![CDATA[ ... ]]> with URL escaped characters is causing your problems. If you keep the CDATA, change &gt; to > and &lt; to <. Or, drop the CDATA stuff and keep the URL escaped characters.

0 Karma
Reply
Solved! Jump to solution

stevegadd
Explorer
‎04-01-2019 10:42 AM

I tried that and get the same result. Just a blank search page

    <drilldown>
      <link target="_blank">
        <![CDATA[search?q=|inputlookup ActiveVulnerabilities where (AssetType="Computer") AND ((OS="Win*") OR (OS="Microsoft*")) AND (qid=$click.value$) AND (is_vm="0")| eval timeEpoch = strptime(firstFound, %Y-%m-%d)| eval initialEpoch = strptime("2018-01-01", "%Y-%m-%d")| eval endEpoch = strptime("2018-03-31", "%Y-%m-%d")| where timeEpoch <= endEpoch AND timeEpoch >= initialEpoch| lookup QualysHosts uniq_id OUTPUTNEW| `VulnTable`]]>
      </link>
    </drilldown>
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...