Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown option is not working for Custom Search

Trex1
Explorer
‎05-06-2022 10:14 PM

Hi there, 

I am trying to enable drilldown on a dashboard view to use a custom search(see below search string snippet). Although the search with the aforementioned string works fine on its own but its complaining when I use it within the drilldown custom search saying "Unbalanced quotes". Any idea why ? Thanks.

Trex1_1-1651899998670.png

 

 

Trex1_0-1651899968118.png

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2022 06:28 PM

You have some non-encoded parts of the query in that URL - not sure how they are there, but for example

<link target="_blank">search?q=$env$%20%22TechnicalWorkFlow.spkFormSubmissionGlobalOptIn%22%20AND%20%22Opt%20In%20Response%20%3Cresult%20success=%5C%22false%5C%22%22%0A%7Crex%20field=_raw%20%22%5E%5B%5E%5C%5D%5Cn%5D*%5C%5D%5Cs+%5Cw+%5Cs+%5Cw+%5Cs+%5Cd+%5Cs+%5Cw+%5Cs+(?P%3CUUID%3E%5Cw+)%22%0A%7Cdedup%20UUID%0A%7Ctable%20UUID%20_time&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

Those contain the following characters that are not encoded (=+?)

The line should be

          <link target="_blank">search?q=$env$%20%22TechnicalWorkFlow.spkFormSubmissionGlobalOptIn%22%20AND%20%22Opt%20In%20Response%20%3Cresult%20success%3D%5C%22false%5C%22%22%0A%7Crex%20field%3D_raw%20%22%5E%5B%5E%5C%5D%5Cn%5D*%5C%5D%5Cs%2B%5Cw%2B%5Cs%2B%5Cw%2B%5Cs%2B%5Cd%2B%5Cs%2B%5Cw%2B%5Cs%2B(%3FP%3CUUID%3E%5Cw%2B)%22%0A%7Cdedup%20UUID%0A%7Ctable%20UUID%20_time&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

Note the encoding of = (%3D), + (%2B) and ? (%3F)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2022 04:56 PM

Edit your dashboard in Source mode, so you can see your XML.

Please post your link target string for the drilldown. It should be something like this (this is not exactly the same as yours

        <drilldown>
          <link target="_blank">search?q=index%3D_audit%20%0A%7C%20rex%20field%3D_raw%20%22%5E%5B%5E%5C%5C%5D%5C%5Cn%5D*%5C%5C%5D%5C%5Cs%2B%5C%5Cw%2B%5C%5Cs%2B%5C%5Cw%2B%5C%5Cs%2B%5C%5Cd%2B%5C%5Cs%2B%5C%5Cw%2B%5C%5Cs%2B(%3FP%3CUUID%3E%5C%5Cw%2B)%22&amp;earliest=-15m&amp;latest=now</link>
        </drilldown>

It is most likely that some encoding issue with editing the link in the UI or the source is causing the issue, as you can see that the search string is truncated before the end

 

0 Karma
Reply
Solved! Jump to solution

Trex1
Explorer
‎05-08-2022 05:08 PM

@bowesmana here it is 🙂

<drilldown>
<link target="_blank">search?q=$env$%20%22TechnicalWorkFlow.spkFormSubmissionGlobalOptIn%22%20AND%20%22Opt%20In%20Response%20%3Cresult%20success=%5C%22false%5C%22%22%0A%7Crex%20field=_raw%20%22%5E%5B%5E%5C%5D%5Cn%5D*%5C%5D%5Cs+%5Cw+%5Cs+%5Cw+%5Cs+%5Cd+%5Cs+%5Cw+%5Cs+(?P%3CUUID%3E%5Cw+)%22%0A%7Cdedup%20UUID%0A%7Ctable%20UUID%20_time&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
</drilldown>

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2022 06:28 PM

You have some non-encoded parts of the query in that URL - not sure how they are there, but for example

<link target="_blank">search?q=$env$%20%22TechnicalWorkFlow.spkFormSubmissionGlobalOptIn%22%20AND%20%22Opt%20In%20Response%20%3Cresult%20success=%5C%22false%5C%22%22%0A%7Crex%20field=_raw%20%22%5E%5B%5E%5C%5D%5Cn%5D*%5C%5D%5Cs+%5Cw+%5Cs+%5Cw+%5Cs+%5Cd+%5Cs+%5Cw+%5Cs+(?P%3CUUID%3E%5Cw+)%22%0A%7Cdedup%20UUID%0A%7Ctable%20UUID%20_time&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

Those contain the following characters that are not encoded (=+?)

The line should be

          <link target="_blank">search?q=$env$%20%22TechnicalWorkFlow.spkFormSubmissionGlobalOptIn%22%20AND%20%22Opt%20In%20Response%20%3Cresult%20success%3D%5C%22false%5C%22%22%0A%7Crex%20field%3D_raw%20%22%5E%5B%5E%5C%5D%5Cn%5D*%5C%5D%5Cs%2B%5Cw%2B%5Cs%2B%5Cw%2B%5Cs%2B%5Cd%2B%5Cs%2B%5Cw%2B%5Cs%2B(%3FP%3CUUID%3E%5Cw%2B)%22%0A%7Cdedup%20UUID%0A%7Ctable%20UUID%20_time&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

Note the encoding of = (%3D), + (%2B) and ? (%3F)

0 Karma
Reply
Solved! Jump to solution

Trex1
Explorer
‎05-10-2022 05:51 PM

@bowesmana Thanks heaps, that worked like a charm! However keen to know if you used a particular tool for the encoding as it appears each time I modify the custom search string in the drilldown option, it messes up the encoding ??

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-10-2022 09:51 PM

That's odd - I am using Splunk 8.2.6 for that example and I have edited the drilldown search in the UI and it correctly encodes the link - I checked the source view of the link.

I have added extra equals signs. extra rex statements with additional var extraction and can't make it fail.

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-10-2022 09:56 PM

I've personally experienced this in the past. Though don't remember any recent scenario of incorrectly encoded search string.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2022 09:23 PM

You could search for URL encoder/decoders on the internet, however, be warned that they may encode/decode $/%24 which would disrupt your token usage if not corrected.

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-10-2022 09:49 PM

Yeah, tokens are a bit of a hassle when using those online tools.

I generally use Splunk UI to write/update the query and remember which part Splunk is not encoding properly and do those changes only manually.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-06-2022 10:27 PM

@Trex1 - I see you have used double backslashes \\w, \\n.

Use just single braces, like for new line \n, for space \s, etc.

Except for \\ which I'm guessing you need backslash as a character in your event.

 

Also, in the search string, you need to escape double quotes. So your search would look something like this:

AND "Opt in Response <result success=\"false\""

 

I hope this helps!!!

0 Karma
Reply
Solved! Jump to solution

Trex1
Explorer
‎05-08-2022 04:37 PM

@VatsalJagani Unfortunately that didn't fix the issue. It still complains about unbalanced quotes in the search. Not sure if this is a search string problem or something else.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...