Splunk Search

Is there an alternative to using > in a search string?

psymonkey
New Member

My basic question is as follows: Is there a text alternative for specifying greater or less than, rather than using the symbol?

This is why I ask:

I have a search that queries failed login attempts greater than 10 across all servers in the index. It works a treat!
I've added that search to a Splunk Dashboard, and it populates beautifully and serves us well.

However, unlike every other section in the dashboard, clicking an entry returns a permission error: You don't have permission to access /en-US/app/search/search on this server.

If I edit the search string to remove "search count>10 ", the links are clickable and go straight to the search app. I tested on a second dashboard search with the same results.

I don't' know if this is an issue with Splunk, or more likely our SSO blocking > as the URL is passed to the search application.

Rather than explore allowing > in the URLs, I'd prefer to just specify an alternate term, if such a term exists.

PS - this is my first post. I did look for an answer to this, and apologize if it exists and I just didn't find it!

Tags (1)
0 Karma

psymonkey
New Member

Thank you both for your quick responses, and apologies for the delay in getting back to you. I've been on vacation.

Unfortunately this doesn't work for me, the modified search returns no results in the dashboard, where there were several when using the >.

It is possible that I've done something incorrectly - I simply replaced the > with >, (no spaces) and also tried > with no luck.

I'll keep digging - thanks again!

0 Karma

pradeepkumarg
Influencer

Did you try encoding using > or < use them without spaces.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@gpradeepkumarreddy -

We converted your comment to an answer, because this is the correct answer to his issue.

To mark your code, you can either use the code button on your browser 101 010 or you can put the grave accent () ... the one that is to the left of the1above the~on an American keyboard... before and after your code. That will prevent the interface from treating your>` as html.

0 Karma

niketn
Legend

@psymonkey, use XML Escape characters while creating <drilldown> to a search query. If you are on Splunk 6.6 or higher you can use Splunk UI to create Drilldown action to create a Drilldown Link to Search.

This way you do not have to escape XML characters as they will be automatically escaped in back-end Simple XML code <drilldown> code.

You can also create <![CDATA[ section as mentioned in the above documentation to use XML special characters in search query for drilldown without escaping.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...