Hi,
I regularly have the problem, that I save searches containing regexes with $ characters to a dashboard where they are then not showing any result. I guess I have to escape them somehow. It seems while saving them the $ characters are automatically duplicated but it that is supposed to be some kind of escaping its not working.
I could not find anything in the documentation but since there are plenty I was not shure where to look exactly. Can anyone tell me how to reliably use a | rex command in a dashboard?
| rex field=_raw "\s(?<hash>\S+)$"
Hi @bitnapper,
Assuming you're creating XML dashboards, you could also try using CDATA. Edit the dashboard (go to the raw view), go to the search that you want to edit and wrap it in CDATA. An example:
<search>
<query>
<![CDATA[
```
Your search here. Because of cdata there's no need to escape text.
```
]]>
</query>
</search>
You can read more about cdata at MDN or wikipedia:
https://developer.mozilla.org/en-US/docs/Web/API/CDATASection
Thanks @rut , thats acually helps.
I still don't understand why that happens. I write a search and from the search page I save to a new or existing dashboard. Shouldn't that be applied automatically?
That’s a good question. When you save a search in the dashboard UI it gets stored encoded, e.g. Splunk translates > into > so the search doesn’t break the underlying XML. You can see this happening when you inspect the XML after editing a search.
This should work fine in most cases, but maybe something is happening with token replacements? Those also use $. What happens if you execute the search with the magnifying glass in the bottom of the panel, is the pattern still the same?
I don't have problems with tokens but I have encountered these problems with searches containing rex-commands with $ charachters. And those indeed get duplicated. So if I have something like | rex field=_raw "\s(?<x>\S+)$" after storing and then opening it again it has been converted to | rex field=_raw "\s(?<x>\S+)$$". Thats why I was asking for escaping $ characters but I'll test the CDATA tomorrow. It sounds very promising.
Hi @gcusello,
I have never had issues with <> or / but regularly with $. Testing it in the search does not help since the issue is exactly that it works in the search but not in the dashboard. But thanks for explaning to me what $ does, I would not have guessed that and just thrown it into the mix because it looks good 😉
So is there a documentation about how Splunk Dashboards deal with searches and what escaping is necessary or not?
Kind Regards
btn
Hi @bitnapper,
I usually test my regexes in regex101.com (that also explays the regexes!) and then I check them in Splunk.
In this way the only differences I experienced are backslashes.
Ciao.
Giuseppe
Hi @gcusello,
thank you for trying but your answer has nothing todo with my question. I'm not asking about regex per se , I want to know which escaping is neccessary in dashboards.
Hi @bitnapper ,
in my experience the only differences in escaping in searching and dashboards is backslash, also because if you escape $ you don't ute the notation of enf or row.
Ciao.
Giuseppe
thanks for your guesses. still looking for a documentation.
Hi @bitnapper,
if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @bitnapper,
$ in a regex means that you are at the end of the raw.
I found some problem escaping the \ (backslash) that's the escape char so sometimes instead using two backslashed I had to use threee of them, but I never found problems on $.
About use in a dashboard, insert your rehex in the search, test te search and save it in the dashboard.
If you directly insert a regex in a dashboard, remember to replace:
Ciao.
Giuseppe