Dashboards & Visualizations

In a dashboard, why can't I configure a drill down with a rex command containing special characters?

elyp
Explorer

I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.

Steps to reproduce the issue

1) Create a test dashboard using the following simple XML:

  <label>dashboard test 1</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog | head 10 | stats count by host</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain

Note: Here is the simple XML this creates for me

        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&amp;earliest=&amp;latest=</link>
        </drilldown>

3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.

alt text

4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain

5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.

Note that obviously there is an issue with the rex command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.

alt text

Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?

Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>
0 Karma

elyp
Explorer

This worked.

So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.

Does anyone know why CDATA doesn't handle this character?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in_...

0 Karma

harsmarvania57
Ultra Champion

As @richgalloway mentioned, rex needs to be URL-encoded

Try below drilldown, it is working in my lab environment

        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
 | head 10
 | rex field=Message "Domain:(%3F&lt;domain&gt;.*)"
 | table domain&amp;earliest=-60m@m&amp;latest=now</link>
        </drilldown>
0 Karma

elyp
Explorer

This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.

0 Karma

harsmarvania57
Ultra Champion

Strange, for me this is working fine in 7.1.2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Such a well-written question!

Have you tried URL-encoding the rex arguments within the drilldown ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...