Solved: Re: In a dashboard, why can't I configure a drill ...

elyp · ‎10-02-2018

I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.

Steps to reproduce the issue

1) Create a test dashboard using the following simple XML:

  <label>dashboard test 1</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog | head 10 | stats count by host</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain

Note: Here is the simple XML this creates for me

        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&amp;earliest=&amp;latest=</link>
        </drilldown>

3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.

4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain

5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.

Note that obviously there is an issue with the rex command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.

Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?

kamlesh_vaghela · ‎10-03-2018

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

kamlesh_vaghela · ‎10-03-2018

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

elyp · ‎10-03-2018

This worked.

So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.

Does anyone know why CDATA doesn't handle this character?

kamlesh_vaghela · ‎10-04-2018

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in_...

harsmarvania57 · ‎10-03-2018

As @richgalloway mentioned, rex needs to be URL-encoded

Try below drilldown, it is working in my lab environment

        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
 | head 10
 | rex field=Message "Domain:(%3F&lt;domain&gt;.*)"
 | table domain&amp;earliest=-60m@m&amp;latest=now</link>
        </drilldown>

elyp · ‎10-03-2018

This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.

harsmarvania57 · ‎10-03-2018

Strange, for me this is working fine in 7.1.2

richgalloway · ‎10-03-2018

Such a well-written question!

Have you tried URL-encoding the rex arguments within the drilldown ?

---
If this reply helps you, Karma would be appreciated.

In a dashboard, why can't I configure a drill down with a rex command containing special characters?

Steps to reproduce the issue

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?