Splunk Search

Simple XML drilldown link search won't recognize regex or rex


I have a dashboard panel with a table. I am able to change the drilldown search when selecting a row in the panel table to open a new window with the new search:

          <query>index=$Environment$ ( program=*shot_director OR program=cryo_director* ) shot_Id=$shotIdPattern$ "Commanded|GoToState" | sort _time | table _time,program,shot_Id,slc_State</query>
          <link target="_blank">
            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | eval subsystem=shot_supervisor | sort -_time 

but when I add the regex

| rex field=taxon (?<ss>[^|]*)[|]


            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?&lt;ss&gt;[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 

the search window created results in:

index=iccs_int "<macro_step_complete>" "Execution of Macro Step " shot_id=N160613-003* | rex field=taxon (

in the search box and the error

Error in 'rex' command: Encountered the following error while compiling the regex '(': Regex: missing ) 

It seems the "?" in the regex is being consumed before it is being sent to the search app.

Any ideas?

Thanks in advance!


Is it working for you now? I have the same issue.

0 Karma


Every "?" in the search string must be replaced with %3F. The only exception is if you are editing .XML dashboard. In which, you will replace all except for the first one at the beginning of the link section.

<link target="_blank">search?q=

All other ?s must be changed to %3F whether in the extraction, or when escaped out in matching text.

0 Karma


@flegel2 I fixed it by placing the ASCII value of ? in the query. Its ASCII value is %3F

Esteemed Legend

The rex string needs to be in double-quotes like this:

 | rex field=taxon "(?<ss>[^|]*)[|]"
0 Karma


The quotes has no effect on the results.

0 Karma


if you save your search as a 'saved search' and call the drilldown as a link target in your dashboard the rex should work.
search?q=|savedsearch [name of savedsearch]
If you've used arguments in your saved search you should als use them in the link of course.
Saved search:
Here you can use the rex syntax as usualy.


This solution works correctly as well.

0 Karma


Try using CDATA, like this

  /app/search/search?q=search index=$Environment$ "<macro_step_complete>" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?<ss>[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 
0 Karma


Using CDATA has no effect on the results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...