Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Drilldown Search Removing Math Operators
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the new Drilldown feature in Splunk Enterprise 6.6 to drilldown to a search.
In the Drilldown Editor dialog, I specified "Link to search" and Custom.
My search string includes a simple eval statement using addition:
| eval FakeQty = Qty1 + Qty2
When I test the drilldown after saving the dashboard, the search that appears in the search bar in the new window omits the plus sign in my eval statement, which causes the search to throw an error.
| eval FakeQty = Qty1 Qty2
I have tried this with other operators (subtract, multiply, and divide) successfully, but not with addition. I have been able to replicate the error on multiple searches and dashboards.
I also tried to edit the XML and use + instead of +, but that did not work.
I found this answer, but since I'm not the one in my organization who manages the .conf files, I want to make sure I can give correct instructions regarding my specific issue to the person who does. I'm not 100% sure this is my situation.
https://answers.splunk.com/answers/10281/drilldown-search-operators-out-of-order.html?utm_source=typ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually it only removes the + operator. You can replace it by %2B in your query
FYI, it does the same for the ? char which can be replaced by %3F
I guess it is because these characters are interpreted in the URL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope Splunk "Drilldown Editor" will automatically replace two characters below. So, the "rex" in drill-down will be ease to code.
1. replace "+" with "%2B" instead of replace with "%20"
2. replace "?" with "%3F"
Thanks
Sincerely
John Hsu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually it only removes the + operator. You can replace it by %2B in your query
FYI, it does the same for the ? char which can be replaced by %3F
I guess it is because these characters are interpreted in the URL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The kludge fix is to change it to | eval FakeQty = Qty1 - (-1*Qty2), but this is clearly a temporary workaround.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
