Dashboards & Visualizations

How to use value from a drop down that contains reserved characters in a search?


I have a table that shows instances of errors from the event log over time by host.

I use a drop down that searches the event log data for Type="Error" | top limit=20 Message to populate $ErrorMessage$ with the value in the Message column. Then I have a table that uses $ErrorMessage$ and does this search:

Type="Error" Message ="$ErrorMessage$" | eval host=upper(host) | timechart count by host

The table and the drop down both default to 24 hour periods.

It works, except when the Message contains reserved characters, like [ or ]. Then I don't get any matches, even though results show in the drop down.

Do I need to escape characters in $ErrorMessage$ when I do my search for the timechart? If so, how do I do that without knowing what characters will show up or how many?

0 Karma

Ultra Champion

Drop Down search:

| stats count values(host) as host by Message 
| sort 20 - count
| nomv host
| rex field=host mode=sed "s/(\S+)/host=\"\1\" OR /g"
| eval searchquery=trim(host,"OR ")

throw searchquery field.

Timechart search:

Type="Error"  $searchquery$" | eval host=upper(host) | timechart count by host
0 Karma

Ultra Champion
| makeresults
| eval test="[]{}!\"#$%&'()?>< abddeft ?>_test"
| eval test3=replace(test,"[^\w]","_")
| eval test2=$test$

The token looks OK,
If necessary, convert it?

0 Karma


Unfortunately it still came back with no data when I quoted the token and errors when I didn't. I finally got it to work by using the hash for the error message. Thanks.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...