Dashboards & Visualizations

Dashboard drilldown of _raw log query not producing results

WAChambers
Explorer

Hello Splunk Community,

I'm setting up a new Dashboard view for one of our apps, and I'm having issues with the drilldown option. I cloned another view that works perfectly, which is for similar logs from our firewall (Forward Traffic). When you click on a specific item in the initial output, it is supposed to drilldown and give you the raw syslog from that specific event. However, it's not working for this new view. Below an example from the XML: 

 

<title>Failed Logins</title>
<search>
<query>index=netfw logdesc="SSL VPN login fail" | table _raw _time devname user remip msg reason</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<fields>["_time","devname","user","remip","msg","reason"]</fields>
<drilldown>
<set token="rawlog">$row._raw$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>RAW View</title>
<search>
<query>index=netfw "$rawlog$"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>

 

While the drilldown does not "work", when I check the results by clicking on the magnifying glass, it shows the proper output (index=netfw "raw log output from the clicked event"). However S&R shows 0 events. 

What's odd is, if I copy and paste the raw log output inside of quotes in S&R, it will show 0 events. But, if I take the raw log from the other view that works and paste it in S&R inside of quotes, it pulls up that single event fine. 

Another oddity, the problem logs that I can't cut and paste into search have the word "in" at the tail end of the log string, which is inside quotes. That "in", for "SSL user failed to logged in" is orange in the string. 

Any help is much appreciated, I think that "in" could be the cause, but I'm new to splunk, SPL, etc. Below is the code from the working view, it's slightly different. 

 

<row>
    <panel>
      <table>
        <title>Forward Traffic Logs</title>
        <search>
          <query>index=netfw | table _raw _time devname srcip dstip action service policyid</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <fields>["_time","devname","srcip","dstip","action","service","policyid"]</fields>
        <drilldown>
          <set token="clientTok">$row._raw$</set>
          <set token="forms.clientTok">$row._raw$</set>
          <set token="resultrow">$row.srcip$</set>
          <set token="forms.resultrow">$row.srcip$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <title>Complete Log Details</title>
        <search>
          <query>index=netfw "$clientTok$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>RAW View</title>
        <search>
          <query>index=netfw "$clientTok$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You need to escape the contents of the token

<query>index=netfw $clientTok|s$</query>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

You need to escape the contents of the token

<query>index=netfw $clientTok|s$</query>

WAChambers
Explorer

So, that did not work. The query you highlighted is actually the one that's working. The problem one is actually: 

 

<query>index=netfw "$rawlog$"</query>

 

 

I tried what you noted, and it still did not work. The last "in" in the syslog string for that event is still highlighted and S&R shows no events that match.  

 

ETA: Here is a screenshot, adding "|s" to the token actually added some errors: 

 

Splunk-drilldown-error-04302021.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As you can see from your screenshot, the value of the token is enclosed in double double-quotes. This is because you have put double quotes around the token. What I suggested was using the |s on the token without any double quotes around it (fair enough, I showed the example of the wrong token, but the principle is clear). The |s will put double quotes and it will escape other characters, including embedded double quotes as you can also see in your screenshot.

<query>index=netfw $rawlog|s$</query>

 

WAChambers
Explorer

That worked!!! 

Thanks again, and I'm sorry I missed the quotes. 

 

0 Karma

WAChambers
Explorer

My apologies, as I missed the quotes. I will try this and report back. I appreciate your help! 

0 Karma

WAChambers
Explorer

No one? Attached is a screenshot of the output from when you click on a log from the original query. As I said, it's working (so the XML is mostly good), however for some reason S&R isn't showing any results for the log, and that last "in" is highlighted orange like Splunk thinks it's SPL code. 

Splunk-drilldown-error-04282021-2.png

 

Any help is appreciated. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...