Solved: How to escape all the possible special characters ...

NamrataRathore · ‎01-31-2022

I have a dashboard which has two panels; one of them shows the errors and the count of how many times similar error has occurred. Another panel shows the details of the error when clicked on an error.

This error string sometimes has characters like <,>,\, etc. and splunk does not read them as string but characters, which results in error on the panel. I would like to use something which would escape all the possible characters in one go.

Currently, my query looks like this:

index=index_name sourcetype="sourcetype_name"
[ | makeresults
| eval cleansearch=replace(replace("$search$", "<", "\<"), ">", "\>")
| return $cleansearch]

Is there anything more simpler that I could use that would escape all the possible characters that could cause an issue instead of replacing each character individually?

ITWhisperer · ‎02-01-2022

It would have helped if you had mentioned the split and substr to start with!

Try it like this

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search$", ":00 - "),1), 0, 100)."*"
| return $cleansearch
| format "" "" "" "" "" ""]

View solution in original post

johnhuang · ‎02-01-2022

You shouldn't have to escape < and >. Simply set your token prefix and suffix to " to have quotes surround your search string.

Keep in mind that if you're editing the XML, you do need to substitute < and > with < and >

NamrataRathore · ‎02-01-2022

Hi ITWhisperer,

Thank you for replying. Above solution doesn't work for me. I am getting the same error as before: "Unable to parse the search: Comparator '<' has an invalid term on the left side."

My query also has split and substr as the error string is way too long and results in error. The whole query is:

index=index_name sourcetype="sourcetype_name"
[ | makeresults
| eval cleansearch=replace(replace(substr(mvindex(split("$search$", ":00 - "),1), 0, 100) "<", "\<"), ">", "\>")."*"
| return $cleansearch]
which works but it only work for <,> operators.

I tried |s as you suggested but it doesn't work:

index=index_name sourcetype="sourcetype_name"
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search|s$", ":00 - "),1), 0, 100)."*"
| return $cleansearch]

The error string looks like this:
<r>2022-02-02 04:33:34 +11:00 - Serious: Very_long_error_string

ITWhisperer · ‎02-01-2022

It would have helped if you had mentioned the split and substr to start with!

Try it like this

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search$", ":00 - "),1), 0, 100)."*"
| return $cleansearch
| format "" "" "" "" "" ""]

NamrataRathore · ‎02-02-2022

This worked like a charm. Thank you so much!

And could you please let me know how the format worked here? I am new to Splunk so just wanted to know.

ITWhisperer · ‎02-01-2022

Instead of trying to escape everything, could you not just modify the token so it is enclosed in quotes with embedded quotes escaped?

index=index_name sourcetype="sourcetype_name" $search|s$

How to escape all the possible special characters in a search string

drilldown

panel

token

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...