Splunk Search

Simple XML drilldown link search won't recognize regex or rex

Explorer

I have a dashboard panel with a table. I am able to change the drilldown search when selecting a row in the panel table to open a new window with the new search:

        <search>
          <query>index=$Environment$ ( program=*shot_director OR program=cryo_director* ) shot_Id=$shotIdPattern$ "Commanded|GoToState" | sort _time | table _time,program,shot_Id,slc_State</query>
          <earliest>$shotEarliest$</earliest>
        </search>
        <drilldown>
          <link target="_blank">
            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | eval subsystem=shot_supervisor | sort -_time 
          </link>
        </drilldown>    

but when I add the regex

| rex field=taxon (?<ss>[^|]*)[|]

creating

            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?&lt;ss&gt;[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 

the search window created results in:

index=iccs_int "<macro_step_complete>" "Execution of Macro Step " shot_id=N160613-003* | rex field=taxon (

in the search box and the error

Error in 'rex' command: Encountered the following error while compiling the regex '(': Regex: missing ) 

It seems the "?" in the regex is being consumed before it is being sent to the search app.

Any ideas?

Thanks in advance!

Is it working for you now? I have the same issue.

0 Karma

Explorer

Every "?" in the search string must be replaced with %3F. The only exception is if you are editing .XML dashboard. In which, you will replace all except for the first one at the beginning of the link section.

<link target="_blank">search?q=

All other ?s must be changed to %3F whether in the extraction, or when escaped out in matching text.

0 Karma

Communicator

@flegel2 I fixed it by placing the ASCII value of ? in the query. Its ASCII value is %3F

Esteemed Legend

The rex string needs to be in double-quotes like this:

 | rex field=taxon "(?<ss>[^|]*)[|]"
0 Karma

Explorer

The quotes has no effect on the results.

0 Karma

Path Finder

if you save your search as a 'saved search' and call the drilldown as a link target in your dashboard the rex should work.
so:
dashboard:
search?q=|savedsearch [name of savedsearch]
If you've used arguments in your saved search you should als use them in the link of course.
Saved search:
Here you can use the rex syntax as usualy.

Explorer

This solution works correctly as well.

0 Karma

Legend

Try using CDATA, like this

<link>
<![CDATA[
  /app/search/search?q=search index=$Environment$ "<macro_step_complete>" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?<ss>[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 
]]>
</link>
0 Karma

Explorer

Using CDATA has no effect on the results.

0 Karma