Dashboards & Visualizations

In a dashboard, why can't I configure a drill down with a rex command containing special characters?

elyp
Explorer

I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.

Steps to reproduce the issue

1) Create a test dashboard using the following simple XML:

  <label>dashboard test 1</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog | head 10 | stats count by host</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain

Note: Here is the simple XML this creates for me

        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&amp;earliest=&amp;latest=</link>
        </drilldown>

3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.

alt text

4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain

5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.

Note that obviously there is an issue with the rex command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.

alt text

Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?

Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>
0 Karma

elyp
Explorer

This worked.

So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.

Does anyone know why CDATA doesn't handle this character?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in_...

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As @richgalloway mentioned, rex needs to be URL-encoded

Try below drilldown, it is working in my lab environment

        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
 | head 10
 | rex field=Message "Domain:(%3F&lt;domain&gt;.*)"
 | table domain&amp;earliest=-60m@m&amp;latest=now</link>
        </drilldown>
0 Karma

elyp
Explorer

This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Strange, for me this is working fine in 7.1.2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Such a well-written question!

Have you tried URL-encoding the rex arguments within the drilldown ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...