Dashboards & Visualizations

How to escape double quotes in a Dashboard?

ma_anand1984
Contributor

In my dashboard, i display log messages in a table. There are logs which has double quotes. I use custom drilldown to goto search app.

Now when i click messages with double quotes, I get unbalanced quotes error. I can escape in search app with a slash and it works. But if i use eval - replace in my dashboard to add a slash, that slash is escaped automatically by splunk and i get \" instead of \".

I know i can remove double quotes in my dashboard to make it work, but im looking to escape the quotes in-order to show users accurate error messages

1 Solution

sideview
SplunkTrust
SplunkTrust

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Splunk's SimpleResultsTable and JSChart/FlashChart modules don't have any mechanism to escape either backslashes or double-quotes automatically for drilldowns. So for those modules drilldowns on such tokens as C:\foo\bar\baz as well as this "has some doublequotes" in it will end up searching on the wrong thing or will fail with parse errors.

Sideview Utils, which you're using here (I can tell from $click.fields.msg$ as well as from knowing you from lots of previous questions/emails), does a lot of careful work and patches to provide a consistent $click.fields.fieldName$ key that is backslash-escaped, and a $click.fields.fieldName.rawValue$ key that is not. (in general for every Sideview key that might be destined for the search language, and that comes from user input or from a field value in search results, there will be a *.rawValue $foo$ token as well. the normal escaped key is for anything that goes directly into search language. The *.rawValue equivalent is what you should use for redirects, URL arguments, and to display HTML to the user.)

Unfortunately there's an oversight in the Sideview code. While it very carefully escapes backslash characters correctly in all of its testcases, escaping C:\foo\bar\baz correctly, it forgets that double-quote characters are equally problematic.

I can fix this fairly easily just by tracing through the code and since the set of testcases is pretty much already there, and I'll get it fixed in the next release.

View solution in original post

ma_anand1984
Contributor

For the sake of new splunkers,

I'm using Core Splunk module SimpleResultsTable. But with the addition of SV (Side View utils), i can access special fields like $click.fields.msg$. they are called $foo$ tokens

if you have SV installed go to
http:///en-US/app/sideview_utils/custom_keys
http:///en-US/app/sideview_utils/linking2_tables

for more information

0 Karma

ma_anand1984
Contributor

Thanks Nick, let me know when this is available. I am really surprised that nobody asked about this in splunk so far. I feel its such a basic requirement.

0 Karma

linu1988
Champion

Use &quot instead of the quote in your search expression in xml

0 Karma

ma_anand1984
Contributor

@drainy

Non Function error : <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.x

im displaying this under field msg.Im passing this value in drilldown search as msg="$click.fields.msg$". Now my search is failing with "unbalanced quote" error

0 Karma

Drainy
Champion

Could you post a couple of example events?

0 Karma

chimbudp
Contributor

create a proper REGEX for the items inside the "" and extract the value

0 Karma

chimbudp
Contributor

have u tried extract field option?

0 Karma

ma_anand1984
Contributor

note: im using SimpleResultsTable with
$click.fields.field_name$

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!