Splunk Search

How to search complex string

vshakur
Path Finder

Hello,

In my Splunk dashboard I have a table that contains the following:

<table>
   <search>
      <query>
            ... | search message="$error_message$" | ...
      <query>
   </search>
</table>

sometimes the error_message is very complex. For example:

WebDriverException: Message: unknown error: Element <div class="CommandBarItem beak-anchor command" data-bind="css: { 'is-toggled': isOpen() || isToggled(), 'is-disabled': isDisabled, 'is-disabled-invisible': isInvisibleWhenDisabled, 'is-open': isOpen, 'is-focused': focused, 'CommandBarItem--hasPayload': $component.hasPayload, 'icon-only': hasIconOnly, 'is-current-view': isCurrentView, 'is-pivot': isCurrentView !== null, 'is-last-pivot': isLastPivot }, class: commandClass() ? 'od-Command--' + commandClass() : '', hasFocus: isActive, raiseEventOnChange: { eventName: 'layoutChange', bubbleEvent: true, data: layoutChanged }, dismiss: { isOpen: isOpen, isAutomatic: payload &amp;&amp; payload.autoDismiss, timeout: payload &amp;&amp; payload.timeout, dismissOnResize: false, dismissOnScroll: false }, with: targetCommand(), attr: { tabindex: tabindex, role: role, 'aria-label': $parent.accessibleLabel, 'aria-haspopup': visibleChildren().length > 0 || !!payload, 'aria-selected': isOpen(), 'aria-pressed': isToggled(), 'data-automationid': automationId, 'aria-expanded': visibleChildren().length > 0 ? isOpen().toString() : false, id: newFeatureExperienceAnchor }, teachingBubble: teachingBubble, tooltip: { content: $data.tooltip, isTooltipDisabled: isOpen }" tabindex="-1" role="menuitem" aria-label="Download" data-automationid="">...</div> is not clickable at point (415, 20). Other element would receive the click: <div class="ms-ModalOverlay"></div> (Session info: chrome=65.0.3325.181) (Driver info: chromedriver=2.37.543627 (63642262d9fb93fb4ab52398be4286d844092a5e),platform=Windows NT 10.0.15063 x86_64)

In such cases Splunk says there is an error or the search doesn't yield anything, because there are many characters (like quotation marks and the "|" sign) that interfere with the query.

Ho do I overcome that problem? How do I tell Splunk to treat the error_message as a simple string and not part of the query?

Thanks,
Sam

0 Karma

@vshankur, would it be possible for you to apply following replacement of special characters before you set token $error_message$ and then before you try to apply the search filter using the same token?

| eval message=replace(replace(replace(message,"\|",""),"\&lt;",""),"&gt;","")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Using ... | search message="$error_message|s$" | ... may help as it escapes embedded quotes. The pipes may still pose a problem, though. Not sure what to do about that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...