Dashboards & Visualizations

In a dashboard, why can't I configure a drill down with a rex command containing special characters?

Explorer

I'm working on a dashboard, and trying to configure a drill down with a custom search. If the custom search contains the rex command, which includes several special characters including ?, <, >, then the drill down doesn't work. When clicking on a row in the dashboard to drill down, a new tab opens in chrome that just says about: blank, instead of opening a new tab with the Splunk search in it.

Steps to reproduce the issue

1) Create a test dashboard using the following simple XML:

  <label>dashboard test 1</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=wineventlog | head 10 | stats count by host</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

2) Configure the drilldown. Choose Link to search > Custom, and paste in the following query. Save everything.

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain

Note: Here is the simple XML this creates for me

        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(?<domain>.*)"
| table domain&amp;earliest=&amp;latest=</link>
        </drilldown>

3) Click on a row in the dashboard, and observe a new tab opening that just says about:blank.

alt text

4) Go back and edit the drill down, and now enter the following query (I know the rex command isn't fully correct here!)

index=wineventlog host=$row.host$
| head 10
| rex field=Message "Domain:(domain.*)"
| table domain

5) Again click on a row in the dashboard, and this time observe that a tab opens up with the splunk search.

Note that obviously there is an issue with the rex command; it doesn't have everything it needs. However, my point in showing this is to provide evidence that the problem can be narrowed down to the ?, <, or > characters causing the issue where just a blank tab opens up in the browser.

alt text

Why can't I configure a drill down, and in the custom search use the rex command with the ?, <, and > characters? Is there a way to get this to work?

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@elyp

Can you please try this?

<form>
        <label>dashboard test 1</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=_internal | head 10 | stats count by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">cell</option>
         <drilldown>
           <link target="_blank"><![CDATA[ search?earliest=&latest=&q=index=wineventlog host=$row.host$ | head 10 | rex field=Message "Domain:(%3F<domain>.*)" | table domain]]></link>
         </drilldown>
       </table>
     </panel>
   </row>
     </form>

View solution in original post

0 Karma

Explorer

This worked.

So you have to wrap it in CDATA....AND THEN manually url encode at least one specific special character yourself. Space, =, \ , ., <, > all don't have to be url encoded, but ? does.

Does anyone know why CDATA doesn't handle this character?

0 Karma

SplunkTrust
SplunkTrust

Some characters have special meaning in Simple XML files. To prevent the source code parser from treating them as special characters, wrap them in tags. But I think for URL encoding you have to handle this character.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in_...

0 Karma

SplunkTrust
SplunkTrust

As @richgalloway mentioned, rex needs to be URL-encoded

Try below drilldown, it is working in my lab environment

        <drilldown>
          <link target="_blank">search?q=index=wineventlog host=$row.host$
 | head 10
 | rex field=Message "Domain:(%3F&lt;domain&gt;.*)"
 | table domain&amp;earliest=-60m@m&amp;latest=now</link>
        </drilldown>
0 Karma

Explorer

This didn't work. I had to wrap it in CDATA like kamlesh_vaghela's example.

0 Karma

SplunkTrust
SplunkTrust

Strange, for me this is working fine in 7.1.2

0 Karma

SplunkTrust
SplunkTrust

Such a well-written question!

Have you tried URL-encoding the rex arguments within the drilldown ?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!