Splunk Search

Custom drilldown search not working

tmontney
Builder

On a dashboard I have a panel with the following search:

index="perfmon" counter="% Processor Time" host!="HOST1*" host!="HOST2" host!="HOST3"
| bucket _time span=35m
| stats avg(Value) AS AVERAGE count(Value) AS INSTANCES by host
| where AVERAGE > 25
| where INSTANCES >= 2
| eval Occurances=Round(INSTANCES/2,0)
| table host Occurances
| head 10
| sort Occurances
| reverse

I just discovered drilldowns, so I set it to Link to Search (Custom) new tab.

index="perfmon" counter="% Processor Time" host="$click.value2$"

I click the left most column (host), and it all I see is "Loading...". I inspect Chrome's console and I see "malformed Uri" error. Comparing the URL to that of a normal search and it seems a bit off.

https://MYSPLKSERVER/en-US/app/MYAPP/search?q=index=%22perfmon%22%20counter=%22%%20Processor%20Time%...

vs a regular search

https://MYSPLKSERVER/en-US/app/MYAPP/search?q=search%20index%3D%22perfmon%22%20counter%3D%22%25%20Pr...

I think it's missing q=search and is not encoding the URL properly (equal signs specifically). My version is 7.0 for the server.

I've resorted to just using a URL (to create the search manually), but that's really not ideal.

1 Solution

jeffland
SplunkTrust
SplunkTrust

It seems that splunk does not url-encode the % character on drilldown. That looks like a bug, a quick fix is to do it yourself. Edit the Simple XML of your dashboard (Edit - Source) and find the line where it says

<drilldown>
  <link target="_blank">search?q=index="perfmon" counter="% Processor Time" host="$click.value2$"</link>
</drilldown>

Change the percent sign to its url encoded value %25 like this:

<drilldown>
  <link target="_blank">search?q=index="perfmon" counter="%25 Processor Time" host="$click.value2$"</link>
</drilldown>

And it should work as expected.

View solution in original post

davidcaccia
Engager

I ran into this issue in the UI for Splunk 7.0.0 and had to manual perform the URL encoding, as recommended here... that is, when adding a search string to the panel to define a custom drill-down action (Is there another path that obviates the need to perform manual URL encoding?)

0 Karma

niketn
Legend

Try the following which has URL Encoding for Quotes, Spaces and Percent:

<drilldown>
  <link target="_blank">search?q=index=%22perfmon%22%20counter=%22%2525%20Processor%20Time%22%20host=%22$click.value2$%22&amp;earliest=-24h@h&amp;latest=now</link>
</drilldown>

Moreover, if you are on Splunk Enterprise 6.6 or higher you do not need to code Drilldown, this feature is available through UI Edit itself. Which implies if you create a drilldown link to search via UI, you do not have to worry about URL Encoding as Splunk will do it for you. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

davebo1896
Communicator

%2525 in simplexml is a workaround (as of 7.2.3)
You can also replace % with %25 in the UI editing view

jeffland
SplunkTrust
SplunkTrust

IIRC, quotes and spaces are encoded correctly on drilldown regardless of what you set in Simple XML - only percent isn't. I don't know whether using the UI editor makes a difference (if it encodes the url on writing it to Simple XML, it could make a difference - otherwise it shouldn't).

0 Karma

jeffland
SplunkTrust
SplunkTrust

It seems that splunk does not url-encode the % character on drilldown. That looks like a bug, a quick fix is to do it yourself. Edit the Simple XML of your dashboard (Edit - Source) and find the line where it says

<drilldown>
  <link target="_blank">search?q=index="perfmon" counter="% Processor Time" host="$click.value2$"</link>
</drilldown>

Change the percent sign to its url encoded value %25 like this:

<drilldown>
  <link target="_blank">search?q=index="perfmon" counter="%25 Processor Time" host="$click.value2$"</link>
</drilldown>

And it should work as expected.

nickdewijer
Explorer

I'm experiencing the same problem with having upgraded to 7.2.1 (newest version of splunk as of this writing)

0 Karma

jeffland
SplunkTrust
SplunkTrust

If you have a support entitlement, you could file a bug report.

0 Karma

davebo1896
Communicator

SPL-163158 is the bug number

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...