Dashboards & Visualizations

How to search field for input with backslash

altink
Builder

Dear All,

I am stuck on an always empty result when searching with a form input that contains Backslash "\"
To illustrate the case, I have some Windows Event log records loaded in Splunk, and available values for the field OS_USER are:

Administrator 
NT AUTHORITY\SYSTEM
DEV001\Administrator 

I have a simple form, with a drop-down box, in which user is supposed to filter records by OS user name.
When I search with * default or Administrator (choice 1) - I do get the results.

When I search with any of the two other choices (containing Backslash) - I receive "No results found. " This is an error because the records are there, for both back-slashed options.

I tried the CDATA and |s$ - to no result.
Browsed the answers - but found nothing.

Can one please advise on this painful Backslash issue ?
Even telling me that it is better to REMOVE the backslash right at the moment of the data ingest and not deal with it at all!

at your disposal for further info

best regards
Altin

ps. my form is Simple XML

0 Karma
1 Solution

DalJeanis
Legend

I believe the issue is that the value needs to have quotes around it when it arrives in the SPL.

Try this ..

  | search USERNAME = "$field_username$" OS_USER="$field_os_user_aa$" 

If that doesn't work, then you might need to convert the syntax to use match().

  <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

 ....

  | search USERNAME = "$field_username$" AND match(OS_USER,"$field_os_user_aa$") 

View solution in original post

niketn
Legend

@altink, so are the three above in makresults query only for illustration. Usually while answering questions we mock data using makeresults command which generates data similar to that provided in the question. Such run anywhere searches do not just help us (person asking question and community member answering) try out and test the working of proposed solution, but also lets other community members try out and provide corrections/improvements/alternate solutions and also for other folks facing similar issues. We also need such mock queries to dummy data, because folks asking questions have access to their data, we don't. Hence we can not be sure of query working until we mock the data as per the use case.

Coming back to the solution. as stated in my previous comment you need to try out following changes to your dashboard:

  <input type="dropdown" token="field_os_user" searchWhenChanged="true">
    <label>OS User</label>
    <fieldForLabel>OS_USER</fieldForLabel>
    <fieldForValue>OS_USER_VALUE</fieldForValue>
    <search>
      <query>`mc_sysdba` 
 | DEDUP OS_USER 
 | FIELDS OS_USER
 | eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
      <earliest>$field_time.earliest$</earliest>
      <latest>$field_time.latest$</latest>
    </search>
    <default>*</default>
    <prefix>"</prefix>
    <suffix>"</suffix>
    <change>
      <set token="field_os_user_aa_label">"$label$"</set>
    </change>
  </input>

To your concern around 100's of user with additional 100 lines of code for each user is NOT REQUIRED. Following single line query change should take care of backslash for all OS_USER values in single line of code.

| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")
Since, the run anywhere code is confusing you more than helping you out, please try out the code here in this comment which replaces single backslash with double and assigns as Dropdown Value, while retaining the Dropdown label as one with Single backslash.
Kindly let us know what fails when you plug in the above code to your dashboard.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

altink
Builder

Resolved - by advise of Mr. niketnilay and Mr. DalJEanis.

Resolved by using both:
1. drop-down label - for unchanged display of information (no add-remove Backslash
2. drop-down value - for using Backslash escaping searching a filed containing such.

I am putting the working code here for rookies like me. The change consisted only in using OS_USER_VALUE in the drop-down - first part.

..........................................................................................
<input type="dropdown" token="field_os_user" searchWhenChanged="true">
      <label>OS User</label>
      <fieldForLabel>OS_USER</fieldForLabel>
      <fieldForValue>OS_USER_VALUE</fieldForValue>
      <search>
        <query>..............
     | DEDUP OS_USER | FIELDS OS_USER 
         | eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
        <earliest>$field_time.earliest$</earliest>
        <latest>$field_time.latest$</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
..........................................................................................
<table>
        <title>NT records</title>
        <search>
          <query>.............. 
            | search OS_USER = $field_os_user$
            | table _time ..........................................
           </query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
        <option name="rowNumbers">true</option>
      </table>
..........................................................................................

The second part has not changed, is put just to see the rest - and to underline the fact that the solution is smartly framed in the drop-down area only - very very nice !!!

thanks and best regards
Altin

niketn
Legend

@altink I am glad after so many attempts finally it was resolved for you 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis
Legend

@niketnilay - You did a lot of work on this, and it will be very confusing for anyone trying to follow. Please pick the most appropriate part of your conversation to be the "answer" and switch it from comment to an answer. We'll get that accepted instead of the base of this thread.

0 Karma

edfuenteso
New Member

Hi @DalJeanis - I have a similar trouble....
I have the next source but with users NT, example CUSTOMER\admin_moss and this no show me results.
How should be the form?

Accesos a BD SQL Server

<!-- Create a text box; token is "series"                         -->
<!-- label: Label for the text box                                -->
<!-- default: Default value for the form                          -->
<!-- suffix: All tokens are followed by a *                       -->
<!--         If user does not specify text, then search uses '*'  -->
<input type="dropdown" token="user" searchWhenChanged="true">
  <label>Selecciona un Usuario:</label>
  <default>*</default>
  <!-- Define the default value -->
  <choice value="*">All</choice>
  <change>
     <set token="user_label">$label$</set>
  </change>
        <!-- Define the choices with a populating search -->
  <populatingSearch fieldForValue="user" fieldForLabel="user" earliest="-24h" latest="now">
    <![CDATA[index=sqlserver_audit | stats count by "user"]]>
  </populatingSearch>
</input>

<input type="dropdown" token="estado" searchWhenChanged="true">
  <label>Selecciona Resultado Conexión :</label>
  <default>*</default>
  <!-- Define the default value -->
  <choice value="*">All</choice>
  <!-- Define the choices with a populating search -->
  <populatingSearch fieldForValue="estado" fieldForLabel="estado" earliest="-24h" latest="now">
    <![CDATA[index=sqlserver_audit | stats count by estado]]>
  </populatingSearch>
</input>
<input type="dropdown" token="dbname" searchWhenChanged="true">
  <label>Selecciona Nombre de la BD:</label>
  <default>*</default>
  <!-- Define the default value -->
  <choice value="*">All</choice>
  <!-- Define the choices with a populating search -->
  <populatingSearch fieldForValue="dbname" fieldForLabel="dbname" earliest="-24h" latest="now">
    <![CDATA[index=sqlserver_audit | stats count by dbname]]>
  </populatingSearch>
</input>
<!-- Add time range picker -->
<input type="time" searchWhenChanged="true">
  <default>
    <earliestTime>-25h</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<!-- Show results as a table -->
<table>
  <option name="showPager">true</option>
  <option name="count">20</option>
</table>
0 Karma

niketn
Legend

Hi @DalJeanis, even I was confused whether to pick up the mocked up run anywhere search as answer or the more specific answer for this particular question. Ended up picking the more specific one 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
Legend

I believe the issue is that the value needs to have quotes around it when it arrives in the SPL.

Try this ..

  | search USERNAME = "$field_username$" OS_USER="$field_os_user_aa$" 

If that doesn't work, then you might need to convert the syntax to use match().

  <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

 ....

  | search USERNAME = "$field_username$" AND match(OS_USER,"$field_os_user_aa$") 

niketn
Legend

@altink, as @DalJeanis has provided in his code snippet, you would need to escape backslash in your input choice value. For searching as KV pair in Splunk, i.e. search USERNAME=$field_os_user_aa$, you would need to use value with escaped backslash. For other places like eval, you might have to use without escaping backslash.

<choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

If you need to use value without escaping backslash, you would need to assign the label to token on the change event of the dropdown:

      <change>
        <set token="field_os_user_aa_label">$label$</set>
      </change>

Following is a run anywhere search example for your reference:

<form>
  <label>Escape slash</label>
  <fieldset>
    <input type="time" token="field_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user_aa">
      <label>field1</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="Administrator">Administrator</choice>
      <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>
      <choice value="DEV001\\Administrator">DEV001\Administrator</choice>
      <change>
        <set token="field_os_user_aa_label">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>| makeresults
           | eval selected_value=$field_os_user_aa_label$
           | search selected_value=$field_os_user_aa$
           | table selected_value</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
      <html>
        <div>Selected Label: $field_os_user_aa_label$</div>
        <div>Selected Value: $field_os_user_aa$</div>
      </html>
    </panel>
  </row>
</form>

@DalJeanis, I feel the code needs some performance improvements:
1) The search filter applied later should actually be in base search in the macro call for faster search. Following should be part of the base search.

USERNAME = $field_username$ OS_USER = $field_os_user_aa$

2) | sort - _time has been used in the query however | table command drops _time from the selected fields.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

altink
Builder

Thank you very much for your answers.

I tried quotes round the token - and it returned no records in all cases. The token is already quoted start and end.
Furthermore, the fields must appear as they come - without being changed. This means the values in the drop-down should be in original:

NT AUTHORITY\SYSTEM
DEV001\Administrator

and not:

NT AUTHORITY\\SYSTEM
DEV001\\Administrator

I guess this drops the solution with $Label$ ?

In first place I was looking for some kind of general quotation in Splunk, which once encapsulating a string - this later can have anything inside and still creates no problem ? Most RDBMS-s have this, and I wish Splunk too, cause if it doesn't, that will be a bad news.

best regards
Altin

0 Karma

DalJeanis
Legend

@altink - you have to think one step at a time, in the order the system does things.

 <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

The quotes are not part of the value, so this leaves the token set at NT AUTHORITY\\SYSTEM

match(OS_USER,"$field_os_user_aa$") 

is filled out as

match(OS_USER,"NT AUTHORITY\\SYSTEM")

For the function match(), the right term is evaluated as per a regular expression, so the first slash escapes the second one, thus the field OS_USER will be tested for whether it contains any substring that is equal toNT AUTHORITY\SYSTEM

If I were debugging this, I would try a couple of things.

First, I would hardcode the underlying search in a naked search, and make sure there is something to report. Second, I would hardcode the underlying search for the next value I wanted to get working, and prove that it would work when the token was interpreted correctly. Third, I would do the same thing, but add one line to test whether the token had passed successfully. I suspect that mytest1A and mytest2A should have the same values after these assignments...

| eval mytest1B = NT AUTHORITY\SYSTEM
| eval mytest1A = "NT AUTHORITY\SYSTEM"
| eval mytest2A = $field_os_user_aa_label$
| eval mytest2B = "$field_os_user_aa_label$"

... and so should mytest1B and mytest2B.

altink
Builder

thank you very much for your help Sir,

but I didn't got a clue on the last posts, unfortunately less and less on each one.

may be it is my fault, may be it is not. I browsed the forum and found no solution on this case, only some gray answers, not green ones.
I will remove or replace the backslash in origin and not feed it at all to Splunk - which seems to me has a "digestion" problem with it, 🙂

thank you anyway for your efforts
best regards
Altin

0 Karma

altink
Builder

tried also with CDATA

<query>
            `mc_sysdba` 
            | search OS_USER =<![CDATA[$field_os_user$]]>
            | table _time DB_HOST   NT_RECORD_NO OS_USER  
            | sort - _time NT_RECORD_NO
 </query>

same behavior again - backslash-ed options return no records

0 Karma

niketn
Legend

@altink, is your dropdown populated by Dynamic Search query or static choice values (i.e. Label and Value).

If it is collection of static choices, similar to your example, then if your label will be DEV001\Administrator and value will be DEV001\\Administrator. Users will see option as label while value will be used only for internal coding. In fact with $field_os_user_aa$ based on drop down value and $field_os_user_aa_label$ based on dropdown label you can use both of them as per the need in your Splunk search. For example use $field_os_user_aa_label$ for eval command and use $field_os_user_aa$ for searchcommand. Please do try out the run anywhere dashboard.

If you want to use string assigned to token to be treated as string (with automatic escape charaters) you should use $<YourTokenName>|s$ for example$field_os_user_aa|s$. Refer to one of the answers for escaping token values: https://answers.splunk.com/answers/568209/how-to-prevent-injection-from-field-in-a-dashboard.html
However, while tokens $field_os_user_aa$ and $field_os_user_aa_label$ hold the value as we expect, the challenge would be that characters may/may not need to be escaped and even if they are escaped sometimes they can be handled differently. In other words, special characters need to be handled in SPL and Splunk provides several methods to handle special characters.

Hope this is helpful rather than confusing!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

altink
Builder

Truly my drop-down is to be populated dynamically. I made a static version here for the sake of simplicity. As for the above - sorry - it was somehow confusing.

I am going to Paste the whole code below:

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="field_time">
      <label>Time</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user" searchWhenChanged="true">
      <label>OS User</label>
      <fieldForLabel>OS_USER</fieldForLabel>
      <fieldForValue>OS_USER</fieldForValue>
      <search>
        <query>`mc_sysdba` | DEDUP OS_USER | FIELDS OS_USER</query>
        <earliest>$field_time.earliest$</earliest>
        <latest>$field_time.latest$</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>`mc_sysdba` 
            | search OS_USER = $field_os_user$ 
            | table _time DB_HOST   NT_RECORD_NO OS_USER  
            | sort - _time NT_RECORD_NO</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

tried the above with:

| search OS_USER = $field_os_user|s$ 

but this case it was no result for all cases - Administrator and * included

As seen above - the drop-down's OS Users are derived with a Dedup from a certain "dataset". What I need to realize is:
1. See the OS user values as they are with their own single backslash "\" - in both drop-down and table.
2. Be able to search the table with a backslash-ed OS User

at your disposal for further queries

thanks and regards
Altin

0 Karma

niketn
Legend

@altink, change your dropdown input with dynamic query as follows:

 <input type="dropdown" token="field_os_user" searchWhenChanged="true">
   <label>OS User</label>
   <fieldForLabel>OS_USER</fieldForLabel>
   <fieldForValue>OS_USER_VALUE</fieldForValue>
   <search>
     <query>`mc_sysdba` 
| DEDUP OS_USER 
| FIELDS OS_USER
| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
     <earliest>$field_time.earliest$</earliest>
     <latest>$field_time.latest$</latest>
   </search>
   <default>*</default>
   <prefix>"</prefix>
   <suffix>"</suffix>
   <change>
     <set token="field_os_user_aa_label">"$label$"</set>
   </change>
 </input>

The above will send the background Dropdown value as OS_USER_VALUE with double slash (\\) wherever single slash is found (\). OS_USER_VALUE is assigned to <fieldForValue>.

| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")

The label token using <change> event handler field_os_user_aa_label is also set but seems like you will not need it.

Remaining things in your dashboard should remain as is. Please try out and confirm.

Following is updated run anywhere example based on Drop Down based on Dynamic Search similar to your Example:

<form>
  <label>Escape Slash</label>
  <fieldset>
    <input type="time" token="field_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user_aa">
      <label>field1 Dynamic</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="*">All</choice>
      <fieldForLabel>OS_USER</fieldForLabel>
      <fieldForValue>OS_USER_VALUE</fieldForValue>
      <search>
        <query>|  makeresults
| eval OS_USER="administrator"
| append [|  makeresults
| eval OS_USER="NT AUTHORITY\SYSTEM"]
| append [|  makeresults
| eval OS_USER="DEV001\Administrator"]
| fields - _time
| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
      </search>
      <change>
        <set token="field_os_user_aa_label">"$label$"</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>| makeresults
           | eval selected_value=$field_os_user_aa_label$
           | search selected_value=$field_os_user_aa$
           | table selected_value</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
      <html>
        <div>Selected Label: $field_os_user_aa_label$</div>
        <div>Selected Value: $field_os_user_aa$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

altink
Builder

but if it takes so much with a single field, what would be for a dataset of 100 fields, where some 20/30 of them do have a backslash in content?

regards
Altin

0 Karma

altink
Builder

and also - a coding for every possible backslash-ed value of the field?

<query>|  makeresults
 | eval OS_USER="administrator"
 | append [|  makeresults
 | eval OS_USER="NT AUTHORITY\SYSTEM"]
 | append [|  makeresults
 | eval OS_USER="DEV001\Administrator"]
 | fields - _time
 | eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
       </search>
..................................................................

these 3 users are just an illustration. there can be hundred users, and even more! should I write 10 lines of extra code - hard-coded for each option, of each field?

best regards
Altin

0 Karma

DalJeanis
Legend

Please post the actual search language from underneath the dash. To debug this, we need to see in what way the token is expressed and used, and from that determine how to escape the backslash.

Most likely, from what is described, the token will have to be modified after setting or there will have to be a second token created that has the backslash properly escaped for the usage.

0 Karma

altink
Builder

Thank you Sir

I didn't exactly got the part "from underneath the dash", but I am pasting below the code for drop-down and search:

<input type="dropdown" token="field_os_user_aa">
      <label>field1</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="Administrator">Administrator</choice>
      <choice value="NT AUTHORITY\SYSTEM">NT AUTHORITY\SYSTEM</choice>
      <choice value="DEV001\Administrator">DEV001\Administrator</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>`mc_sysdba` 
            | table DB_HOST DB_NAME NT_RECORD_NO USERNAME OS_USER TERMINAL RETURNCODE ACTION_CMD 
            | search USERNAME = $field_username$ OS_USER = $field_os_user_aa$ 
            | sort - _time NT_RECORD_NO</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>

thanks and best regards
Altin

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...