Solved: How to escape double quotes in a Dashboard?

ma_anand1984 · ‎07-16-2013

In my dashboard, i display log messages in a table. There are logs which has double quotes. I use custom drilldown to goto search app.

Now when i click messages with double quotes, I get unbalanced quotes error. I can escape in search app with a slash and it works. But if i use eval - replace in my dashboard to add a slash, that slash is escaped automatically by splunk and i get \" instead of \".

I know i can remove double quotes in my dashboard to make it work, but im looking to escape the quotes in-order to show users accurate error messages

sideview · ‎07-17-2013

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

View solution in original post

sideview · ‎07-17-2013

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

ma_anand1984 · ‎07-17-2013

For the sake of new splunkers,

I'm using Core Splunk module SimpleResultsTable. But with the addition of SV (Side View utils), i can access special fields like $click.fields.msg$. they are called $foo$ tokens

if you have SV installed go to
http:///en-US/app/sideview_utils/custom_keys
http:///en-US/app/sideview_utils/linking2_tables

for more information

ma_anand1984 · ‎07-17-2013

Thanks Nick, let me know when this is available. I am really surprised that nobody asked about this in splunk so far. I feel its such a basic requirement.

linu1988 · ‎07-17-2013

Use &quot instead of the quote in your search expression in xml

ma_anand1984 · ‎07-17-2013

@drainy

Non Function error : <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.x

im displaying this under field msg.Im passing this value in drilldown search as msg="$click.fields.msg$". Now my search is failing with "unbalanced quote" error

Drainy · ‎07-17-2013

Could you post a couple of example events?

chimbudp · ‎07-17-2013

create a proper REGEX for the items inside the "" and extract the value

chimbudp · ‎07-17-2013

have u tried extract field option?

ma_anand1984 · ‎07-17-2013

note: im using SimpleResultsTable with
$click.fields.field_name$

How to escape double quotes in a Dashboard?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM