Re: Simple XML drilldown link search won't recogni...

flegel2 · ‎06-15-2016

I have a dashboard panel with a table. I am able to change the drilldown search when selecting a row in the panel table to open a new window with the new search:

        <search>
          <query>index=$Environment$ ( program=*shot_director OR program=cryo_director* ) shot_Id=$shotIdPattern$ "Commanded|GoToState" | sort _time | table _time,program,shot_Id,slc_State</query>
          <earliest>$shotEarliest$</earliest>
        </search>
        <drilldown>
          <link target="_blank">
            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | eval subsystem=shot_supervisor | sort -_time 
          </link>
        </drilldown>

but when I add the regex

| rex field=taxon (?<ss>[^|]*)[|]

creating

            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?&lt;ss&gt;[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time

the search window created results in:

index=iccs_int "<macro_step_complete>" "Execution of Macro Step " shot_id=N160613-003* | rex field=taxon (

in the search box and the error

Error in 'rex' command: Encountered the following error while compiling the regex '(': Regex: missing )

It seems the "?" in the regex is being consumed before it is being sent to the search app.

Any ideas?

Thanks in advance!

manikyasandeepg · ‎06-21-2018

Is it working for you now? I have the same issue.

wilsonite · ‎09-11-2018

Every "?" in the search string must be replaced with %3F. The only exception is if you are editing .XML dashboard. In which, you will replace all except for the first one at the beginning of the link section.

<link target="_blank">search?q=

All other ?s must be changed to %3F whether in the extraction, or when escaped out in matching text.

vsingla1 · ‎03-10-2017

@flegel2 I fixed it by placing the ASCII value of ? in the query. Its ASCII value is %3F

woodcock · ‎06-15-2016

The rex string needs to be in double-quotes like this:

 | rex field=taxon "(?<ss>[^|]*)[|]"

flegel2 · ‎06-15-2016

The quotes has no effect on the results.

rrovers · ‎07-20-2018

if you save your search as a 'saved search' and call the drilldown as a link target in your dashboard the rex should work.
so:
dashboard:
search?q=|savedsearch [name of savedsearch]
If you've used arguments in your saved search you should als use them in the link of course.
Saved search:
Here you can use the rex syntax as usualy.

wilsonite · ‎09-11-2018

This solution works correctly as well.

sundareshr · ‎06-15-2016

Try using CDATA, like this

<link>
<![CDATA[
  /app/search/search?q=search index=$Environment$ "<macro_step_complete>" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?<ss>[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 
]]>
</link>

flegel2 · ‎06-15-2016

Using CDATA has no effect on the results.

Simple XML drilldown link search won't recognize regex or rex

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Simple XML drilldown link search won't recognize regex or rex

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25