- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Direct HTML drilldown breaks %-character encod...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Direct HTML drilldown breaks %-character encoding on click?
I would like to drilldown. If I use the drilldown editor and set to auto, this works, but this is unacceptable because we need the link to open in a new tab. So I tried setting the drilldown editor to custom, which I've done a thousand times before including with other drilldowns on the dashboard I am having problems with. However for one specific drilldown, the custom drilldown made it so only a blank search would open in the new tab. In response I followed https://answers.splunk.com/answers/621427/custom-drilldown-search-not-working.html and coded the non-tokenized precise HTML link directly into my SimpleXML.
However the encoding of the % character breaks on click. Literally if I copy and paste the drilldown HTML code from SimpleXML into my browser, it works, but not if I click to drilldown. Splunk Answer #621427 deals with the drilldown editor breaking %-character encoding, but this is a HTML drilldown breaking %-character encoding.
Any assistance?
SimpleXML: <base search> | where NOT duo_status="Active" | stats count(eval(isnull(mobile))) as nonairwatch_duo_inactive custom drilldown works
SimpleXML: <base search> | eval last_vpn_access=strptime(last_vpn_access,"%Y-%m-%d %H:%M:%S") custom drilldown breaks
SimpleXML drilldown HTML link: ... %20%7C%20eval%20last_vpn_access=strptime(last_vpn_access,%22%25Y-%25m-%25d%20%25H:%25M:%25S%22) correct syntax
Browser URL when clicked: https:// ... %20|%20eval%20last_vpn_access=strptime(last_vpn_access,"%Y-%m-%d%20%H:%M:%S") incorrect syntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition, Splunk fails to encode ? in 7.2.0 HTML IN the SimpleXML HTML drilldown link. It leaves it as ? and does not properly encode the %3F. There are many other HTML encoding issues in 7.2.0 HTML e.g. it will randomly insert "%0A" and break the drilldown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a possible solution. I have not tried it yet
Gregg Woodcock:church: 6:13 PM
Did you try the filters like |u and |n and |s?
Nick 4:09 PM
no, mind explaining further @Gregg Woodcock?
Gareth Anderson 5:24 PM
Token filters
Token filters ensure that you correctly capture the value of a token.
FilterDescriptionWrap value in quotes
$token_name|s$Ensures that quotation marks surround the value referenced by the token. Escapes all quotation characters, ", within the quoted value.HTML format
$token_name|h$Ensures that the token value is valid for HTML formatting.
Token values for the element use this filter by default.
URL format
$token_name|u$Ensures that the token value is valid to use as a URL.
Token values for the element use this filter by default.
Specify no character escaping
$token_name|n$Prevents the default token filter from running. No characters in the token are escaped.
5:24
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nick405060
Can you please share your sample code?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
