Splunk Search

How to search complex string

vshakur
Path Finder

Hello,

In my Splunk dashboard I have a table that contains the following:

<table>
   <search>
      <query>
            ... | search message="$error_message$" | ...
      <query>
   </search>
</table>

sometimes the error_message is very complex. For example:

WebDriverException: Message: unknown error: Element <div class="CommandBarItem beak-anchor command" data-bind="css: { 'is-toggled': isOpen() || isToggled(), 'is-disabled': isDisabled, 'is-disabled-invisible': isInvisibleWhenDisabled, 'is-open': isOpen, 'is-focused': focused, 'CommandBarItem--hasPayload': $component.hasPayload, 'icon-only': hasIconOnly, 'is-current-view': isCurrentView, 'is-pivot': isCurrentView !== null, 'is-last-pivot': isLastPivot }, class: commandClass() ? 'od-Command--' + commandClass() : '', hasFocus: isActive, raiseEventOnChange: { eventName: 'layoutChange', bubbleEvent: true, data: layoutChanged }, dismiss: { isOpen: isOpen, isAutomatic: payload &amp;&amp; payload.autoDismiss, timeout: payload &amp;&amp; payload.timeout, dismissOnResize: false, dismissOnScroll: false }, with: targetCommand(), attr: { tabindex: tabindex, role: role, 'aria-label': $parent.accessibleLabel, 'aria-haspopup': visibleChildren().length > 0 || !!payload, 'aria-selected': isOpen(), 'aria-pressed': isToggled(), 'data-automationid': automationId, 'aria-expanded': visibleChildren().length > 0 ? isOpen().toString() : false, id: newFeatureExperienceAnchor }, teachingBubble: teachingBubble, tooltip: { content: $data.tooltip, isTooltipDisabled: isOpen }" tabindex="-1" role="menuitem" aria-label="Download" data-automationid="">...</div> is not clickable at point (415, 20). Other element would receive the click: <div class="ms-ModalOverlay"></div> (Session info: chrome=65.0.3325.181) (Driver info: chromedriver=2.37.543627 (63642262d9fb93fb4ab52398be4286d844092a5e),platform=Windows NT 10.0.15063 x86_64)

In such cases Splunk says there is an error or the search doesn't yield anything, because there are many characters (like quotation marks and the "|" sign) that interfere with the query.

Ho do I overcome that problem? How do I tell Splunk to treat the error_message as a simple string and not part of the query?

Thanks,
Sam

0 Karma

niketn
Legend

@vshankur, would it be possible for you to apply following replacement of special characters before you set token $error_message$ and then before you try to apply the search filter using the same token?

| eval message=replace(replace(replace(message,"\|",""),"\&lt;",""),"&gt;","")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Using ... | search message="$error_message|s$" | ... may help as it escapes embedded quotes. The pipes may still pose a problem, though. Not sure what to do about that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...