- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.
Steps to reproduce the issue
1) Create a test dashboard using the following simple XML:
<label>dashboard test 1</label>
<row>
<panel>
<table>
<search>
<query>index=wineventlog | head 10 | stats count by host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.
index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain
Note: Here is the simple XML this creates for me
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&earliest=&latest=</link>
</drilldown>
3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.
4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)
index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain
5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.
Note that obviously there is an issue with the rex
command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.
Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@elyp
Can you please try this?
<form>
<label>dashboard test 1</label>
<row>
<panel>
<table>
<search>
<query>index=_internal | head 10 | stats count by host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
</drilldown>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@elyp
Can you please try this?
<form>
<label>dashboard test 1</label>
<row>
<panel>
<table>
<search>
<query>index=_internal | head 10 | stats count by host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
</drilldown>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked.
So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.
Does anyone know why CDATA doesn't handle this character?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/8f9f8/8f9f8be385e0d2f593269e58bfaf88583aa0052f" alt="harsmarvania57 harsmarvania57"
As @richgalloway mentioned, rex needs to be URL-encoded
Try below drilldown, it is working in my lab environment
<drilldown>
<link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(%3F<domain>.*)"
| table domain&earliest=-60m@m&latest=now</link>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/8f9f8/8f9f8be385e0d2f593269e58bfaf88583aa0052f" alt="harsmarvania57 harsmarvania57"
Strange, for me this is working fine in 7.1.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Such a well-written question!
Have you tried URL-encoding the rex
arguments within the drilldown ?
If this reply helps you, Karma would be appreciated.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""