Dashboards & Visualizations

In a dashboard, why can't I configure a drill down with a rex command containing special characters?

elyp
Explorer

I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.

Steps to reproduce the issue

1) Create a test dashboard using the following simple XML:

  <label>dashboard test 1</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog | head 10 | stats count by host</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain

Note: Here is the simple XML this creates for me

        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&amp;earliest=&amp;latest=</link>
        </drilldown>

3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.

alt text

4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain

5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.

Note that obviously there is an issue with the rex command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.

alt text

Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?

Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>
0 Karma

elyp
Explorer

This worked.

So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.

Does anyone know why CDATA doesn't handle this character?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in_...

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As @richgalloway mentioned, rex needs to be URL-encoded

Try below drilldown, it is working in my lab environment

        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
 | head 10
 | rex field=Message "Domain:(%3F&lt;domain&gt;.*)"
 | table domain&amp;earliest=-60m@m&amp;latest=now</link>
        </drilldown>
0 Karma

elyp
Explorer

This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Strange, for me this is working fine in 7.1.2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Such a well-written question!

Have you tried URL-encoding the rex arguments within the drilldown ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...