Splunk Search

How to reliably use a | rex command in a dashboard?

bitnapper
Path Finder

Hi,

I regularly have the problem, that I save searches containing regexes with $ characters to a dashboard where they are then not showing any result. I guess I have to escape them somehow. It seems while saving them the $ characters are automatically duplicated but it that is supposed to be some kind of escaping its not working.

I could not find anything in the documentation but since there are plenty I was not shure where to look exactly. Can anyone tell me how to reliably use a | rex command in a dashboard?

| rex field=_raw "\s(?<hash>\S+)$"

Labels (1)
0 Karma

rut
Path Finder

Hi @bitnapper,

Assuming you're creating XML dashboards, you could also try using CDATA. Edit the dashboard (go to the raw view), go to the search that you want to edit and wrap it in CDATA. An example:

 

<search>
<query>
<![CDATA[
``` 
Your search here. Because of cdata there's no need to escape text.
```
]]>
</query>
</search>

 

You can read more about cdata at MDN or wikipedia:

https://developer.mozilla.org/en-US/docs/Web/API/CDATASection

https://en.wikipedia.org/wiki/CDATA

bitnapper
Path Finder

Thanks @rut , thats acually helps.

I still don't understand why that happens. I write a search and from the search page I save to a new or existing dashboard. Shouldn't that be applied automatically?

0 Karma

rut
Path Finder

That’s a good question. When you save a search in the dashboard UI it gets stored encoded, e.g. Splunk translates > into &gt; so the search doesn’t break the underlying XML. You can see this happening when you inspect the XML after editing a search. 

This should work fine in most cases, but maybe something is happening with token replacements? Those also use $. What happens if you execute the search with the magnifying glass in the bottom of the panel, is the pattern still the same?

0 Karma

bitnapper
Path Finder

I don't have problems with tokens but I have encountered these problems with searches containing rex-commands with $ charachters. And those indeed get duplicated. So if I have something like | rex field=_raw "\s(?<x>\S+)$" after storing and then opening it again it has been converted to | rex field=_raw "\s(?<x>\S+)$$". Thats why I was asking for escaping $ characters but I'll test the CDATA tomorrow. It sounds very promising.

0 Karma

bitnapper
Path Finder

Hi @gcusello,

I have never had issues with <> or / but regularly with $. Testing it in the search does not help since the issue is exactly that it works in the search but not in the dashboard. But thanks for explaning to me what $ does, I would not have guessed that and just thrown it into the mix because it looks good 😉

So is there a documentation about how Splunk Dashboards deal with searches and what escaping is necessary or not?

Kind Regards

btn

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bitnapper,

I usually test my regexes in regex101.com (that also explays the regexes!) and then I check them in Splunk.

In this way the only differences I experienced are backslashes.

Ciao.

Giuseppe

0 Karma

bitnapper
Path Finder

Hi @gcusello,

thank you for trying but your answer has nothing todo with my question. I'm not asking about regex per se , I want to know which escaping is neccessary in dashboards.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bitnapper ,

in my experience the only differences in escaping in searching and dashboards is backslash, also because if you escape $ you don't ute the notation of enf or row.

Ciao.

Giuseppe

0 Karma

bitnapper
Path Finder

thanks for your guesses. still looking for a documentation.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bitnapper,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bitnapper,

$ in a regex means that you are at the end of the raw.

I found some problem escaping the \ (backslash) that's the escape char so sometimes instead using two backslashed I had to use threee of them, but I never found problems on $.

About use in a dashboard, insert your rehex in the search, test te search and save it in the dashboard.

If you directly insert a regex in a dashboard, remember to replace:

  • < with &lt;
  • > with &gt;

Ciao.

Giuseppe

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...