Splunk Search

Eval strftime not working with Linked Search

Jack_Accent
Loves-to-Learn

Hello! Still very new to Splunk so hoping to get some clarification.

My dashboard is currently using a post-process search as its base and filtering data from there. On my dashboard objects, I have a <link></link> which works fine until adding an eval strftime to convert the time to human readable.

Running this search as a new search manually with the eval works fine. However, the link directs to a blank search. Removing the eval statement makes the link work.

Link:
<link target="_blank">

search?q=| inputlookup io_vuln_data_lookup where $severity$ | search last_found &gt;= "$info_min_time$" AND last_found &lt;= "$info_max_time$"

| eval last_found = strftime(last_found, "%c")

| table dns_name,  last_found | where lower(state)!="fixed"

</link>

I was hoping to only do this conversion for a single dashboard object, so didn't want to convert the entire lookup. Would be amazing if I could get this search to work 🙂

Thanks!

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

In SimpleXML, certain characters must be entered with HTML entities. (Specifically, double quotes, greater than, less than, and so on.)  More generally, GET URLs are best encoded without special characters.  So, replace | eval last_found = strftime(last_found, "%c") with

%3D%20strftime(last_found%2C%20%22%25c%22)

 Meanwhile I do not know how the cited URL could "works fine till."  If you are entering these in source editor, you can try replacing double quotes with &quot;, i.e.,

| eval last_found = strftime(last_found, &quot;%c&quot;)

I recommend using the visual editor, however.  There, you can enter SPL as SPL.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...