Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there an alternative to using > in a search string?

psymonkey
New Member
‎08-21-2018 07:19 AM

My basic question is as follows: Is there a text alternative for specifying greater or less than, rather than using the symbol?

This is why I ask:

I have a search that queries failed login attempts greater than 10 across all servers in the index. It works a treat!
I've added that search to a Splunk Dashboard, and it populates beautifully and serves us well.

However, unlike every other section in the dashboard, clicking an entry returns a permission error: You don't have permission to access /en-US/app/search/search on this server.

If I edit the search string to remove "search count>10 ", the links are clickable and go straight to the search app. I tested on a second dashboard search with the same results.

I don't' know if this is an issue with Splunk, or more likely our SSO blocking > as the URL is passed to the search application.

Rather than explore allowing > in the URLs, I'd prefer to just specify an alternate term, if such a term exists.

PS - this is my first post. I did look for an answer to this, and apologize if it exists and I just didn't find it!

Tags (1)
0 Karma
Reply

psymonkey
New Member
‎08-28-2018 05:34 AM

Thank you both for your quick responses, and apologies for the delay in getting back to you. I've been on vacation.

Unfortunately this doesn't work for me, the modified search returns no results in the dashboard, where there were several when using the >.

It is possible that I've done something incorrectly - I simply replaced the > with >, (no spaces) and also tried > with no luck.

I'll keep digging - thanks again!

0 Karma
Reply

pradeepkumarg
Influencer
‎08-21-2018 08:58 AM

Did you try encoding using > or < use them without spaces.

0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 11:31 AM

@gpradeepkumarreddy -

We converted your comment to an answer, because this is the correct answer to his issue.

To mark your code, you can either use the code button on your browser 101 010 or you can put the grave accent () ... the one that is to the left of the1above the~on an American keyboard... before and after your code. That will prevent the interface from treating your>` as html.

0 Karma
Reply

niketn
Legend
‎08-21-2018 09:15 AM

@psymonkey, use XML Escape characters while creating <drilldown> to a search query. If you are on Splunk 6.6 or higher you can use Splunk UI to create Drilldown action to create a Drilldown Link to Search.

This way you do not have to escape XML characters as they will be automatically escaped in back-end Simple XML code <drilldown> code.

You can also create <![CDATA[ section as mentioned in the above documentation to use XML special characters in search query for drilldown without escaping.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...