Dashboards & Visualizations

## How to escape double quotes in a Dashboard?

Contributor

In my dashboard, i display log messages in a table. There are logs which has double quotes. I use custom drilldown to goto search app.

Now when i click messages with double quotes, I get unbalanced quotes error. I can escape in search app with a slash and it works. But if i use eval - replace in my dashboard to add a slash, that slash is escaped automatically by splunk and i get \" instead of \".

I know i can remove double quotes in my dashboard to make it work, but im looking to escape the quotes in-order to show users accurate error messages

Tags (4)
1 Solution
SplunkTrust

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

SplunkTrust

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

Contributor

For the sake of new splunkers,

I'm using Core Splunk module SimpleResultsTable. But with the addition of SV (Side View utils), i can access special fields like $click.fields.msg$. they are called $foo$ tokens

if you have SV installed go to
http:///en-US/app/sideview_utils/custom_keys

Contributor

Thanks Nick, let me know when this is available. I am really surprised that nobody asked about this in splunk so far. I feel its such a basic requirement.

Champion

Use &quot instead of the quote in your search expression in xml

Contributor

@drainy

Non Function error : <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.x

im displaying this under field msg.Im passing this value in drilldown search as msg="$click.fields.msg$". Now my search is failing with "unbalanced quote" error

Champion

Could you post a couple of example events?

Contributor

create a proper REGEX for the items inside the "" and extract the value

Contributor

have u tried extract field option?

Contributor

note: im using SimpleResultsTable with
$click.fields.field_name$

State of Splunk Careers