Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown Search Removing Math Operators

mstark31
Path Finder
‎08-14-2017 01:41 PM

I am using the new Drilldown feature in Splunk Enterprise 6.6 to drilldown to a search.

In the Drilldown Editor dialog, I specified "Link to search" and Custom.

My search string includes a simple eval statement using addition:
| eval FakeQty = Qty1 + Qty2
When I test the drilldown after saving the dashboard, the search that appears in the search bar in the new window omits the plus sign in my eval statement, which causes the search to throw an error.
| eval FakeQty = Qty1 Qty2

I have tried this with other operators (subtract, multiply, and divide) successfully, but not with addition. I have been able to replicate the error on multiple searches and dashboards.
I also tried to edit the XML and use + instead of +, but that did not work.

I found this answer, but since I'm not the one in my organization who manages the .conf files, I want to make sure I can give correct instructions regarding my specific issue to the person who does. I'm not 100% sure this is my situation.
https://answers.splunk.com/answers/10281/drilldown-search-operators-out-of-order.html?utm_source=typ...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cardinalga
Explorer
‎08-23-2017 07:23 AM

Actually it only removes the + operator. You can replace it by %2B in your query

FYI, it does the same for the ? char which can be replaced by %3F

I guess it is because these characters are interpreted in the URL.

View solution in original post

Reply
Solved! Jump to solution

johnthsu
Engager
‎10-04-2019 09:05 AM

I hope Splunk "Drilldown Editor" will automatically replace two characters below. So, the "rex" in drill-down will be ease to code.
1. replace "+" with "%2B" instead of replace with "%20"
2. replace "?" with "%3F"

Thanks
Sincerely
John Hsu

0 Karma
Reply
Solved! Jump to solution
Solution

cardinalga
Explorer
‎08-23-2017 07:23 AM

Actually it only removes the + operator. You can replace it by %2B in your query

FYI, it does the same for the ? char which can be replaced by %3F

I guess it is because these characters are interpreted in the URL.

Reply
Solved! Jump to solution

mstark31
Path Finder
‎08-14-2017 01:47 PM

The kludge fix is to change it to | eval FakeQty = Qty1 - (-1*Qty2), but this is clearly a temporary workaround.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...