Dashboards & Visualizations

Direct HTML drilldown breaks %-character encoding on click?

nick405060
Motivator

I would like to drilldown. If I use the drilldown editor and set to auto, this works, but this is unacceptable because we need the link to open in a new tab. So I tried setting the drilldown editor to custom, which I've done a thousand times before including with other drilldowns on the dashboard I am having problems with. However for one specific drilldown, the custom drilldown made it so only a blank search would open in the new tab. In response I followed https://answers.splunk.com/answers/621427/custom-drilldown-search-not-working.html and coded the non-tokenized precise HTML link directly into my SimpleXML.

However the encoding of the % character breaks on click. Literally if I copy and paste the drilldown HTML code from SimpleXML into my browser, it works, but not if I click to drilldown. Splunk Answer #621427 deals with the drilldown editor breaking %-character encoding, but this is a HTML drilldown breaking %-character encoding.

Any assistance?

SimpleXML: <base search> | where NOT duo_status="Active" | stats count(eval(isnull(mobile))) as nonairwatch_duo_inactive custom drilldown works

SimpleXML: <base search> | eval last_vpn_access=strptime(last_vpn_access,"%Y-%m-%d %H:%M:%S") custom drilldown breaks
SimpleXML drilldown HTML link: ... %20%7C%20eval%20last_vpn_access=strptime(last_vpn_access,%22%25Y-%25m-%25d%20%25H:%25M:%25S%22) correct syntax
Browser URL when clicked: https:// ... %20|%20eval%20last_vpn_access=strptime(last_vpn_access,"%Y-%m-%d%20%H:%M:%S") incorrect syntax

Labels (1)
0 Karma

nick405060
Motivator

In addition, Splunk fails to encode ? in 7.2.0 HTML IN the SimpleXML HTML drilldown link. It leaves it as ? and does not properly encode the %3F. There are many other HTML encoding issues in 7.2.0 HTML e.g. it will randomly insert "%0A" and break the drilldown

0 Karma

nick405060
Motivator

This is a possible solution. I have not tried it yet

Gregg Woodcock:church: 6:13 PM
Did you try the filters like |u and |n and |s?

Nick 4:09 PM
no, mind explaining further @Gregg Woodcock?

Gareth Anderson 5:24 PM
Token filters
Token filters ensure that you correctly capture the value of a token.
FilterDescriptionWrap value in quotes
$token_name|s$Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.HTML format
$token_name|h$Ensures that the token value is valid for HTML formatting.
Token values for the element use this filter by default.
URL format
$token_name|u$Ensures that the token value is valid to use as a URL.
Token values for the element use this filter by default.
Specify no character escaping
$token_name|n$Prevents the default token filter from running. No characters in the token are escaped.
5:24
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@nick405060

Can you please share your sample code?

0 Karma