Solved: Re: How to escape all possible special characters

Thulasinathan_M · ‎08-30-2023

Hi Splunk Experts,

I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!!

Ex:

!@#$%^&*(){}|";:<>/\[]

I want them as below:

\!\@\#\$\%\^\&\*\(\)\{\}\|\"\;\:\<\>\/\\\[\]

ITWhisperer · ‎08-30-2023

Try like this

  <init>
    <set token="input">!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]</set>
  </init>
  <row>
    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param=$input|s$
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
  </row>

View solution in original post

ITWhisperer · ‎08-30-2023

You could try replacing every special character with a backslash followed by that character.

In the following example, the token used in the title is set when the field is clicked. The token value is the contents of the second multi-value in the field, which has been hidden using CSS. (I tried using the replace in the token evaluation directly but it only seems to work on a field not a string.)

    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param="!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]"
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>

Thulasinathan_M · ‎08-30-2023

Thanks @ITWhisperer. This is exactly what I'm looking for, but my text comes from a token. If I do something like below, I get " Error in 'SearchParser': Mismatched ']'."

<init>
    <eval token="input">"!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]"</eval>
  </init>
   <row>
   <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param="$input$"
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
     </row>

ITWhisperer · ‎08-30-2023

Try like this

  <init>
    <set token="input">!@#$%^&amp;*(){}|\";:&lt;&gt;/\\[]</set>
  </init>
  <row>
    <panel depends="$alwayshide$">
      <html>
        <style>
          #escaped table tbody td div.multivalue-subcell[data-mv-index="1"] {
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="escaped">
      <table>
        <title>$escaped$</title>
        <search>
          <query>| makeresults
| fields - _time
| eval param=$input|s$
| eval param=mvappend(param,replace(param,"([!@#$%^&amp;*\(\)\{\}\|\";:&lt;&gt;\/\\\[\]])","\\\\\1"))</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="escaped">mvindex($click.value$,1)</eval>
        </drilldown>
      </table>
    </panel>
  </row>

Thulasinathan_M · ‎08-30-2023

Thanks, worked perfectly.

gcusello · ‎08-30-2023

Hi @Thulasinathan_M,

if you always have a special char in the beginning of the token, you could add a backslash "\" as prefix to the token.

Ciao.

Giuseppe

Thulasinathan_M · ‎08-30-2023

Hi @gcusello, It can be anywhere in the text.

How to escape all possible special characters

eval

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation