Dashboards & Visualizations

Can you help me with an issue with a dashboard drilldown query?

stevegadd
Explorer

Any suggestions as to why the following drilldown just returns a blank page? It works just fine in normal search.

    <drilldown>
      <link target="_blank">
        <![CDATA[search?q=|inputlookup ActiveVulnerabilities where (AssetType="Computer") AND ((OS="Win*") OR (OS="Microsoft*")) AND (qid=$click.value$) AND (is_vm="0")| eval timeEpoch = strptime(firstFound, %Y-%m-%d)| eval initialEpoch = strptime("2018-01-01", "%Y-%m-%d")| eval endEpoch = strptime("2018-03-31", "%Y-%m-%d")| where timeEpoch &lt;= endEpoch AND timeEpoch &gt;= initialEpoch| lookup QualysHosts uniq_id OUTPUTNEW| `VulnTable`]]>
      </link>
    </drilldown>
0 Karma
1 Solution

niketn
Legend

@stevegadd there are couple of things you need to take care:

1.timeEpoch = strptime(firstFound, is missing double quotes before and after strptime() format.

2. The strptime() time format has % character which needs to be escaped with corresponding URL Encoded character i.e. %25. However, after resolving in the drilldown the same needs to escape again with 25 suffixed as only % in URL would be passed. %Y would need to be written as %2525Y

Try the following <drilldown> code and confirm:

<drilldown>
  <link target="_blank">search?q=%7Cinputlookup%20ActiveVulnerabilities%20where%20(AssetType=%22Computer%22)%20AND%20((OS=%22Win*%22)%20OR%20(OS=%22Microsoft*%22))%20AND%20(qid=$click.value$)%20AND%20(is_vm=%220%22)%7C%20eval%20timeEpoch%20=%20strptime(firstFound,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20initialEpoch%20=%20strptime(%222018-01-01%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20endEpoch%20=%20strptime(%222018-03-31%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20where%20timeEpoch%20%3C=%20endEpoch%20AND%20timeEpoch%20%3E=%20initialEpoch%7C%20lookup%20QualysHosts%20uniq_id%20OUTPUTNEW%7C%20%60VulnTable%60</link>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@stevegadd there are couple of things you need to take care:

1.timeEpoch = strptime(firstFound, is missing double quotes before and after strptime() format.

2. The strptime() time format has % character which needs to be escaped with corresponding URL Encoded character i.e. %25. However, after resolving in the drilldown the same needs to escape again with 25 suffixed as only % in URL would be passed. %Y would need to be written as %2525Y

Try the following <drilldown> code and confirm:

<drilldown>
  <link target="_blank">search?q=%7Cinputlookup%20ActiveVulnerabilities%20where%20(AssetType=%22Computer%22)%20AND%20((OS=%22Win*%22)%20OR%20(OS=%22Microsoft*%22))%20AND%20(qid=$click.value$)%20AND%20(is_vm=%220%22)%7C%20eval%20timeEpoch%20=%20strptime(firstFound,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20initialEpoch%20=%20strptime(%222018-01-01%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20eval%20endEpoch%20=%20strptime(%222018-03-31%22,%20%22%2525Y-%2525m-%2525d%22)%7C%20where%20timeEpoch%20%3C=%20endEpoch%20AND%20timeEpoch%20%3E=%20initialEpoch%7C%20lookup%20QualysHosts%20uniq_id%20OUTPUTNEW%7C%20%60VulnTable%60</link>
</drilldown>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

stevegadd
Explorer

Thanks. That did it

0 Karma

jconger
Splunk Employee
Splunk Employee

It looks like mixing <![CDATA[ ... ]]> with URL escaped characters is causing your problems. If you keep the CDATA, change &gt; to > and &lt; to <. Or, drop the CDATA stuff and keep the URL escaped characters.

0 Karma

stevegadd
Explorer

I tried that and get the same result. Just a blank search page

    <drilldown>
      <link target="_blank">
        <![CDATA[search?q=|inputlookup ActiveVulnerabilities where (AssetType="Computer") AND ((OS="Win*") OR (OS="Microsoft*")) AND (qid=$click.value$) AND (is_vm="0")| eval timeEpoch = strptime(firstFound, %Y-%m-%d)| eval initialEpoch = strptime("2018-01-01", "%Y-%m-%d")| eval endEpoch = strptime("2018-03-31", "%Y-%m-%d")| where timeEpoch <= endEpoch AND timeEpoch >= initialEpoch| lookup QualysHosts uniq_id OUTPUTNEW| `VulnTable`]]>
      </link>
    </drilldown>
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...