Dashboards & Visualizations

How to escape all the possible special characters in a search string

NamrataRathore
Explorer

I have a dashboard which has two panels; one of them shows the errors and the count of how many times similar error has occurred. Another panel shows the details of the error when clicked on an error.

This error string sometimes has characters like <,>,\, etc. and splunk does not read them as string but characters, which results in error on the panel. I would like to use something which would escape all the possible characters in one go.

Currently, my query looks like this:

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=replace(replace("$search$", "<", "\<"), ">", "\>")
| return $cleansearch]

Is there anything more simpler that I could use that would escape all the possible characters that could cause an issue instead of replacing each character individually?

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

It would have helped if you had mentioned the split and substr to start with!

Try it like this

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search$", ":00 - "),1), 0, 100)."*"
| return $cleansearch
| format "" "" "" "" "" ""] 

View solution in original post

johnhuang
Motivator

You shouldn't have to escape < and >. Simply set your token prefix and suffix to " to have quotes surround your search string.

Keep in mind that if you're editing the XML, you do need to substitute < and > with &lt; and &gt;

 

0 Karma

NamrataRathore
Explorer

Hi ITWhisperer,

Thank you for replying. Above solution doesn't work for me. I am getting the same error as before: "Unable to parse the search: Comparator '<' has an invalid term on the left side."

My query also has split and substr as the error string is way too long and results in error. The whole query is:

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=replace(replace(substr(mvindex(split("$search$", ":00 - "),1), 0, 100) "<", "\<"), ">", "\>")."*"
| return $cleansearch] 
which works but it only work for <,> operators.

I tried |s as you suggested but it doesn't work:

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search|s$", ":00 - "),1), 0, 100)."*"
| return $cleansearch] 

The error string looks like this:
<r>2022-02-02 04:33:34 +11:00 - Serious: Very_long_error_string

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It would have helped if you had mentioned the split and substr to start with!

Try it like this

index=index_name sourcetype="sourcetype_name" 
[ | makeresults
| eval cleansearch=substr(mvindex(split("$search$", ":00 - "),1), 0, 100)."*"
| return $cleansearch
| format "" "" "" "" "" ""] 

NamrataRathore
Explorer

This worked like a charm. Thank you so much! 

And could you please let me know how the format worked here? I am new to Splunk so just wanted to know.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Instead of trying to escape everything, could you not just modify the token so it is enclosed in quotes with embedded quotes escaped?

index=index_name sourcetype="sourcetype_name" $search|s$
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...