- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: splunk 8 - special character in drilldown sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi -
I'm struggling with a problem occurring in a drilldown search used in a dashboard panel. On Splunk 7.21, the drilldown works fine; Splunk 8 gives the following error: Invalid earliest time.
I narrowed down the issue to an eval statement in the drilldown - |eval k=mvfilter(match(t, ",1$")) - to match a field that ends with ,1. the issue seems to be with the $. I've tried replacing the $ with %24, %2524, replacing double quotes with single quotes and protecting the $ with a backslash (out of desperation). This all fails - well, the %2524 works once, then will fail with the "Invalid earliest time" error on subsequent executions. When i check the drilldown, splunk has translated %2524 to %$.
Does anyone have any guidance/help to offer?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prefix $ with another dollar sign.
|eval k=mvfilter(match(t, ",1$$"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prefix $ with another dollar sign.
|eval k=mvfilter(match(t, ",1$$"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you manjunathmeti. Your solution works.
Any thoughts on how to stop splunk 8 from translating hex values? Observing how splunk translated %2524 to %: had us test another search that contains regex to find urls containing %3A, %2F. a snippet of the drilldown regex - https((%253A)|(:))((%252F)|(\/)) In 7.21, the drilldown works - in the browser bar this appears as https((%3A)|(:))((%2F)|(\/)).
splunk 8 translates to https((:)|(:))((/)|(\/)) - any urls in our logs containing %3A, %2F are ignored.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same with %. Prefix it with another % symbol.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the follow up. The %% didn't work - possibly because it's in a regex statement within the drilldown? both %%3A and %25%253A were tried.
the working regex (7.21) is set up to match url:port - | regex _raw="https((%253A)|(:))((%252F)|(\/))((%252F)|(\/))([a-zA-Z0-9.]%2B)((%253A)|(:))(\d%2B)"
On 8, splunk translates %253A to :, %252F to /, but 8 also completely ignores the + (%2B) - no matter if it's a hard coded +, ++, +, %2B or %252B. when the drilldown executes, the regex in the search window looks like:
regex _raw="https((:)|(:))(()|(\/))(()|(\/))([a-zA-Z0-9.] )((:)|(:))(\d )"
(note where the + should be is just a blank space )
or with the %%:
regex _raw="https((%%3A)|(:))((%%2F)|(\/))((%%2F)|(\/))([a-zA-Z0-9.]%%2B)((%%3A)|(:))(\d%%2B)".
Although the initial dashboard panel search shows 6 matches (single value), but the drilldown completely fails and returns 0 results.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
