Solved: How to escape all possible special characters

Thulasinathan_M · ‎08-30-2023

Hi Splunk Experts,

I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!!

Ex:

!@#$%^&*(){}|";:<>/\[]

I want them as below:

\!\@\#\$\%\^\&\*\(\)\{\}\|\"\;\:\<\>\/\\\[\]

ITWhisperer · ‎08-30-2023

Try like this

  <init>
    <set token="input">!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]</set>
  </init>
  <row>
    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param=$input|s$
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
  </row>

View solution in original post

ITWhisperer · ‎08-30-2023

You could try replacing every special character with a backslash followed by that character.

In the following example, the token used in the title is set when the field is clicked. The token value is the contents of the second multi-value in the field, which has been hidden using CSS. (I tried using the replace in the token evaluation directly but it only seems to work on a field not a string.)

    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param="!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]"
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>

Thulasinathan_M · ‎08-30-2023

Thanks @ITWhisperer. This is exactly what I'm looking for, but my text comes from a token. If I do something like below, I get " Error in 'SearchParser': Mismatched ']'."

<init>
    <eval token="input">"!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]"</eval>
  </init>
   <row>
   <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param="$input$"
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
     </row>

ITWhisperer · ‎08-30-2023

Try like this

  <init>
    <set token="input">!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]</set>
  </init>
  <row>
    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param=$input|s$
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
  </row>

Thulasinathan_M · ‎08-30-2023

Thanks, worked perfectly.

gcusello · ‎08-30-2023

Hi @Thulasinathan_M,

if you always have a special char in the beginning of the token, you could add a backslash "\" as prefix to the token.

Ciao.

Giuseppe

Thulasinathan_M · ‎08-30-2023

Hi @gcusello, It can be anywhere in the text.

How to escape all possible special characters

eval

rex

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

How to escape all possible special characters

eval

rex

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)