Dashboards & Visualizations
Highlighted

How to search field for input with backslash

Contributor

Dear All,

I am stuck on an always empty result when searching with a form input that contains Backslash "\"
To illustrate the case, I have some Windows Event log records loaded in Splunk, and available values for the field OS_USER are:

Administrator 
NT AUTHORITY\SYSTEM
DEV001\Administrator 

I have a simple form, with a drop-down box, in which user is supposed to filter records by OS user name.
When I search with * default or Administrator (choice 1) - I do get the results.

When I search with any of the two other choices (containing Backslash) - I receive "No results found. " This is an error because the records are there, for both back-slashed options.

I tried the CDATA and |s$ - to no result.
Browsed the answers - but found nothing.

Can one please advise on this painful Backslash issue ?
Even telling me that it is better to REMOVE the backslash right at the moment of the data ingest and not deal with it at all!

at your disposal for further info

best regards
Altin

ps. my form is Simple XML

0 Karma
Highlighted

Re: How to search field for input with backslash

SplunkTrust
SplunkTrust

Please post the actual search language from underneath the dash. To debug this, we need to see in what way the token is expressed and used, and from that determine how to escape the backslash.

Most likely, from what is described, the token will have to be modified after setting or there will have to be a second token created that has the backslash properly escaped for the usage.

0 Karma
Highlighted

Re: How to search field for input with backslash

Contributor

Thank you Sir

I didn't exactly got the part "from underneath the dash", but I am pasting below the code for drop-down and search:

<input type="dropdown" token="field_os_user_aa">
      <label>field1</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="Administrator">Administrator</choice>
      <choice value="NT AUTHORITY\SYSTEM">NT AUTHORITY\SYSTEM</choice>
      <choice value="DEV001\Administrator">DEV001\Administrator</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>`mc_sysdba` 
            | table DB_HOST DB_NAME NT_RECORD_NO USERNAME OS_USER TERMINAL RETURNCODE ACTION_CMD 
            | search USERNAME = $field_username$ OS_USER = $field_os_user_aa$ 
            | sort - _time NT_RECORD_NO</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>

thanks and best regards
Altin

0 Karma
Highlighted

Re: How to search field for input with backslash

SplunkTrust
SplunkTrust

I believe the issue is that the value needs to have quotes around it when it arrives in the SPL.

Try this ..

  | search USERNAME = "$field_username$" OS_USER="$field_os_user_aa$" 

If that doesn't work, then you might need to convert the syntax to use match().

  <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

 ....

  | search USERNAME = "$field_username$" AND match(OS_USER,"$field_os_user_aa$") 

View solution in original post

Highlighted

Re: How to search field for input with backslash

Legend

@altink, as @DalJeanis has provided in his code snippet, you would need to escape backslash in your input choice value. For searching as KV pair in Splunk, i.e. search USERNAME=$fieldosuser_aa$, you would need to use value with escaped backslash. For other places like eval, you might have to use without escaping backslash.

<choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>

If you need to use value without escaping backslash, you would need to assign the label to token on the change event of the dropdown:

      <change>
        <set token="field_os_user_aa_label">$label$</set>
      </change>

Following is a run anywhere search example for your reference:

<form>
  <label>Escape slash</label>
  <fieldset>
    <input type="time" token="field_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user_aa">
      <label>field1</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="Administrator">Administrator</choice>
      <choice value="NT AUTHORITY\\SYSTEM">NT AUTHORITY\SYSTEM</choice>
      <choice value="DEV001\\Administrator">DEV001\Administrator</choice>
      <change>
        <set token="field_os_user_aa_label">$label$</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>| makeresults
           | eval selected_value=$field_os_user_aa_label$
           | search selected_value=$field_os_user_aa$
           | table selected_value</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
      <html>
        <div>Selected Label: $field_os_user_aa_label$</div>
        <div>Selected Value: $field_os_user_aa$</div>
      </html>
    </panel>
  </row>
</form>

@DalJeanis, I feel the code needs some performance improvements:
1) The search filter applied later should actually be in base search in the macro call for faster search. Following should be part of the base search.

USERNAME = $field_username$ OS_USER = $field_os_user_aa$

2) | sort - _time has been used in the query however | table command drops _time from the selected fields.




| eval message="Happy Splunking!!!"


Highlighted

Re: How to search field for input with backslash

Contributor

Thank you very much for your answers.

I tried quotes round the token - and it returned no records in all cases. The token is already quoted start and end.
Furthermore, the fields must appear as they come - without being changed. This means the values in the drop-down should be in original:

NT AUTHORITY\SYSTEM
DEV001\Administrator

and not:

NT AUTHORITY\\SYSTEM
DEV001\\Administrator

I guess this drops the solution with $Label$ ?

In first place I was looking for some kind of general quotation in Splunk, which once encapsulating a string - this later can have anything inside and still creates no problem ? Most RDBMS-s have this, and I wish Splunk too, cause if it doesn't, that will be a bad news.

best regards
Altin

0 Karma
Highlighted

Re: How to search field for input with backslash

Legend

@altink, is your dropdown populated by Dynamic Search query or static choice values (i.e. Label and Value).

If it is collection of static choices, similar to your example, then if your label will be DEV001\Administrator and value will be DEV001\\Administrator. Users will see option as label while value will be used only for internal coding. In fact with $fieldosuseraa$ based on drop down value and $fieldosuseraalabel$ based on dropdown label you can use both of them as per the need in your Splunk search. For example use $fieldosuseraalabel$ for eval command and use $fieldosuseraa$ for searchcommand. Please do try out the run anywhere dashboard.

If you want to use string assigned to token to be treated as string (with automatic escape charaters) you should use $<YourTokenName>|s$ for example$field_os_user_aa|s$. Refer to one of the answers for escaping token values: https://answers.splunk.com/answers/568209/how-to-prevent-injection-from-field-in-a-dashboard.html
However, while tokens $field_os_user_aa$ and $field_os_user_aa_label$ hold the value as we expect, the challenge would be that characters may/may not need to be escaped and even if they are escaped sometimes they can be handled differently. In other words, special characters need to be handled in SPL and Splunk provides several methods to handle special characters.

Hope this is helpful rather than confusing!




| eval message="Happy Splunking!!!"


Highlighted

Re: How to search field for input with backslash

Contributor

Truly my drop-down is to be populated dynamically. I made a static version here for the sake of simplicity. As for the above - sorry - it was somehow confusing.

I am going to Paste the whole code below:

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="field_time">
      <label>Time</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user" searchWhenChanged="true">
      <label>OS User</label>
      <fieldForLabel>OS_USER</fieldForLabel>
      <fieldForValue>OS_USER</fieldForValue>
      <search>
        <query>`mc_sysdba` | DEDUP OS_USER | FIELDS OS_USER</query>
        <earliest>$field_time.earliest$</earliest>
        <latest>$field_time.latest$</latest>
      </search>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>`mc_sysdba` 
            | search OS_USER = $field_os_user$ 
            | table _time DB_HOST   NT_RECORD_NO OS_USER  
            | sort - _time NT_RECORD_NO</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

tried the above with:

| search OS_USER = $field_os_user|s$ 

but this case it was no result for all cases - Administrator and * included

As seen above - the drop-down's OS Users are derived with a Dedup from a certain "dataset". What I need to realize is:
1. See the OS user values as they are with their own single backslash "\" - in both drop-down and table.
2. Be able to search the table with a backslash-ed OS User

at your disposal for further queries

thanks and regards
Altin

0 Karma
Highlighted

Re: How to search field for input with backslash

Legend

@altink, change your dropdown input with dynamic query as follows:

 <input type="dropdown" token="field_os_user" searchWhenChanged="true">
   <label>OS User</label>
   <fieldForLabel>OS_USER</fieldForLabel>
   <fieldForValue>OS_USER_VALUE</fieldForValue>
   <search>
     <query>`mc_sysdba` 
| DEDUP OS_USER 
| FIELDS OS_USER
| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
     <earliest>$field_time.earliest$</earliest>
     <latest>$field_time.latest$</latest>
   </search>
   <default>*</default>
   <prefix>"</prefix>
   <suffix>"</suffix>
   <change>
     <set token="field_os_user_aa_label">"$label$"</set>
   </change>
 </input>

The above will send the background Dropdown value as OS_USER_VALUE with double slash (\\) wherever single slash is found (\). OSUSERVALUE is assigned to <fieldForValue>.

| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")

The label token using <change> event handler field_os_user_aa_label is also set but seems like you will not need it.

Remaining things in your dashboard should remain as is. Please try out and confirm.

Following is updated run anywhere example based on Drop Down based on Dynamic Search similar to your Example:

<form>
  <label>Escape Slash</label>
  <fieldset>
    <input type="time" token="field_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="field_os_user_aa">
      <label>field1 Dynamic</label>
      <default>*</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="*">All</choice>
      <fieldForLabel>OS_USER</fieldForLabel>
      <fieldForValue>OS_USER_VALUE</fieldForValue>
      <search>
        <query>|  makeresults
| eval OS_USER="administrator"
| append [|  makeresults
| eval OS_USER="NT AUTHORITY\SYSTEM"]
| append [|  makeresults
| eval OS_USER="DEV001\Administrator"]
| fields - _time
| eval OS_USER_VALUE=replace(OS_USER,"\\\\","\\\\\\")</query>
      </search>
      <change>
        <set token="field_os_user_aa_label">"$label$"</set>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>SYSDBA records</title>
        <search>
          <query>| makeresults
           | eval selected_value=$field_os_user_aa_label$
           | search selected_value=$field_os_user_aa$
           | table selected_value</query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
      </table>
      <html>
        <div>Selected Label: $field_os_user_aa_label$</div>
        <div>Selected Value: $field_os_user_aa$</div>
      </html>
    </panel>
  </row>
</form>



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to search field for input with backslash

Contributor

but if it takes so much with a single field, what would be for a dataset of 100 fields, where some 20/30 of them do have a backslash in content?

regards
Altin

0 Karma