Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown of Reports not working as expected under Dashboards

ppurokit
Path Finder
‎09-23-2013 07:00 AM

I’m looking for a information with respect to drilldown here.

The following is the drilldown query



/app/XXXXXX/flashtimeline?q=sourcetype= "XXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]+:(?<src_ip>\d+.\d+.\d+.\d+)/(?<src_port>[a-zA-Z0-9]+)\s+to\s+[\w\d-.]+:(?<dest_ip>\d+.\d+.\d+.\d+)/(?<dest_port>[a-zA-Z0-9]+)" | search src_ip="$row.Source Address$"

But when I click on the drill down via the Dashboard , the query transforms like below.

sourcetype= "XXXXXXX" (XXXXX OR XXXXX) | rex "for [\w\d-.]/ :(?\d/ .\d/ .\d/ .\d/ )/(?[a-zA-Z0-9]/ )\s/ to\s/ [\w\d-.]/ :(?\d/ .\d/ .\d/ .\d/ )/(?[a-zA-Z0-9]/ )" | search src_ip="XX.XX.XX.XX"

If you notice this all the “+” characters from the regex are removed when we click on the drill downs.

I tried adding both backslash and forward slash for escaping the “+”. But it dint work out and the same issue still exists.

Can you please suggest us a way to overcome this issue?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 07:30 AM

You might try wrapping the whole link in CDATA.


<link>
<![CDATA[ <search string> ]]>
</link>

If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 07:30 AM

You might try wrapping the whole link in CDATA.


<link>
<![CDATA[ <search string> ]]>
</link>

If that doesn't work, know that + is a special character in a URL string (iirc), so you may need to escape it for the destination, by using the character's ASCII value (in hex), after a %. 'man ascii' on my system shows that + would be 2b, so that would be encoded as %2b in your URL.

Reply
Solved! Jump to solution

ppurokit
Path Finder
‎09-23-2013 07:50 AM

Hi Sowings,

Substituting %2b fixed this issue. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...