Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown of Reports not working as expected under Dashboards

ppurokit
Path Finder
‎09-23-2013 07:00 AM

I’m looking for a information with respect to drilldown here.

The following is the drilldown query



/app/XXXXXX/flashtimeline?q=sourcetype= "XXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]+:(?<src_ip>\d+.\d+.\d+.\d+)/(?<src_port>[a-zA-Z0-9]+)\s+to\s+[\w\d-.]+:(?<dest_ip>\d+.\d+.\d+.\d+)/(?<dest_port>[a-zA-Z0-9]+)" | search src_ip="$row.Source Address$"

But when I click on the drill down via the Dashboard , the query transforms like below.

sourcetype= "XXXXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]/ :(?\d/ .\d/ .\d/ .\d/ )/(?[a-zA-Z0-9]/ )\s/ to\s/ [\w\d-.]/ :(?\d/ .\d/ .\d/ .\d/ )/(?[a-zA-Z0-9]/ )" | search src_ip="XX.XX.XX.XX"

If you notice this all the “+” characters from the regex are removed when we click on the drill downs.

I tried adding both backslash and forward slash for escaping the “+”. But it dint work out and the same issue still exists.

Can you please suggest us a way to overcome this issue?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 07:30 AM

You might try wrapping the whole link in CDATA.


<link>
<![CDATA[ <search string> ]]>
</link>

If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 07:30 AM

You might try wrapping the whole link in CDATA.


<link>
<![CDATA[ <search string> ]]>
</link>

If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.

Reply
Solved! Jump to solution

ppurokit
Path Finder
‎09-23-2013 07:50 AM

Hi Sowings,

Substituting %2b fixed this issue. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...