Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown not working, even when using <![CDATA]]>

UMDTERPS
Communicator
‎03-05-2021 12:54 PM

I am having a similar issue to this thread here, but my drilldown search still won't work (explanation below):

https://community.splunk.com/t5/Dashboards-Visualizations/In-a-dashboard-why-can-t-I-configure-a-dri...

I have a panel on my dashboard  with a custom drilldown and search.  The search works perfectly when running it as a search on it's own.  However, in the search string we have a "rex" and those don't play nice with drilldowns and XML. 

 

|rex field=field1 "^(?<field2>[^ ]+)"

 

Apparently, according to the thread above,  you need to  wrap the data in "<!CDATA[]]?>":

 

 <link target="_blank"><![CDATA[ search?earliest=&latest=&q=|inputlookup = blah |rex field=field2 "^(?<field>[^ ]+)"|search continues....]]></link>

 

The drilldown will execute and open another tab, but the search stops at 

 

rex field=field2 "^(

 

I get an error saying "Unbalanced quotes."  The search runs on it's own, but not when using a custom drilldown search and wrapping the search in "CDATA."

Any ideas on how to get this search running with rex and no errors in a custom drilldown?

Thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 05:17 PM

The original drilldown was failing because the "?" character separates arguments in a URL.  Including one in the search query effectively ending the query.  The "?" needs to be encoded if nothing else.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 01:49 PM

Try URL-encoding the drilldown target.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎03-05-2021 02:11 PM


https://docs.splunk.com/Documentation/Splunk/7.1.3/Viz/OverviewofSimplifiedXML#Special_characters_in...

|rex field=field1 "^(?<field2>[^ ]+)"

URL Encoded below:

| rex field=field1 &quot;^(?&lt;field2&gt;[^ ]+)&quot;


I'm assuming this is what you mean?

When I run the the drilldown, I get:

Error in 'SearchParser': Missing a search command before '^'. Error at position '211' of search query '| inputlookup data.csv ...{snipped} {errorcontext = IG_ID&gt;[^ ]+)&quot;}'.




0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 05:17 PM

The original drilldown was failing because the "?" character separates arguments in a URL.  Including one in the search query effectively ending the query.  The "?" needs to be encoded if nothing else.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎03-08-2021 02:53 PM

Yeah, I ended up replacing the "?" with "%3F" and the "+" with "%2B" in the  "<link target="_blank">search?q=.....</link>" and it worked.

Seems like it's not listed here?:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Viz/OverviewofSimplifiedXML

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2021 05:41 AM

Submit feedback on that doc page letting them know of your experience.  They'll likely change the page.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

UMDTERPS
Communicator
‎03-17-2021 09:41 AM

Thanks, I submitted feedback on  the page. 👍

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...