Splunk Search

Table drilldowns: Problem with forward slash

enexwhy
Explorer

Hi community,

I am trying to create a drilldown for a table using a cell value that contains a URL (or part of it).
These are the problems I'm facing:
1) Splunk converts the '/' in the cell value to '%2F'.
2) Cell becomes unclickable when cell value (containing part of URL) starts with '/'.

To explain the problems, here is a table with different use cases that you can also copy and play with:

<table>
    <search>
        <query>index=_internal | head 1
        | eval can_click = "dev.splunk.com"
        | eval cannot_click = "dev.splunk.com/view/webframework-codeexamples/SP-CAAAEVU"
        | eval can_click_but_forward_slashes_replaced = "view/webframework-codeexamples/SP-CAAAEVU"
        | table can_click, cannot_click, can_click_but_forward_slashes_replaced, with_cdata__cannot_click, with_cdata__can_click_but_forward_slashes_replaced
        </query>
    </search>
    <drilldown target="_blank">
        <condition field="can_click">
            <link>http://$row.can_click$</link>
        </condition>
        <condition field="cannot_click">
            <link>http://$row.cannot_click$</link>
        </condition>
        <condition field="can_click_but_forward_slashes_replaced">
            <link>http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced$</link>
        </condition>
        <condition field="with_cdata__cannot_click">
            <link><![CDATA[http://$row.cannot_click$]]></link>
        </condition>
        <condition field="with_cdata__can_click_but_forward_slashes_replaced">
            <link><![CDATA[http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced$]]></link>
        </condition>
    </drilldown>
</table>
  1. can_click Contains a URL with no forward slashes -- works fine.
  2. cannot_click Contains a URL that has a forward slash right after '.com' -- does not respond to clicks.
  3. can_click_but_forward_slashes_replaced Contains a URL that has forward slashes but not right after a '.com' -- responds but forward slashes are replaced with '%2F'. :: Note that if it started with a forward slash, it will be the same as case 2.
  4. with_cdata__cannot_click Same as case 2 but enclosed in CDATA tag.
  5. with_cdata__can_click_but_forward_slashes_replaced Same as case 3 but enclosed in CDATA tag.

My question: How can make a drilldown use a cell value containing a URL (or even just part of it)?

0 Karma
1 Solution

niketn
Legend

You have to enable no character escaping using n$ in all your tokens having URL escape characters. Following should work.

<drilldown>
   <condition field="can_click">
       <link>http://$row.can_click$</link>
   </condition>
   <condition field="cannot_click">
       <link>http://$row.cannot_click|n$</link>
   </condition>
   <condition field="can_click_but_forward_slashes_replaced">
       <link>http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$</link>
   </condition>
   <condition field="with_cdata__cannot_click">
       <link><![CDATA[http://$row.cannot_click|n$]]></link>
   </condition>
   <condition field="with_cdata__can_click_but_forward_slashes_replaced">
       <link><![CDATA[http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$]]></link>
   </condition>          
</drilldown>

Refer to the documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

You have to enable no character escaping using n$ in all your tokens having URL escape characters. Following should work.

<drilldown>
   <condition field="can_click">
       <link>http://$row.can_click$</link>
   </condition>
   <condition field="cannot_click">
       <link>http://$row.cannot_click|n$</link>
   </condition>
   <condition field="can_click_but_forward_slashes_replaced">
       <link>http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$</link>
   </condition>
   <condition field="with_cdata__cannot_click">
       <link><![CDATA[http://$row.cannot_click|n$]]></link>
   </condition>
   <condition field="with_cdata__can_click_but_forward_slashes_replaced">
       <link><![CDATA[http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$]]></link>
   </condition>          
</drilldown>

Refer to the documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

enexwhy
Explorer

Hi,

I appreciate your response, but adding '|n' as you suggested does not work.
It makes Splunk skip replacing the token reference with the actual value i.e. the link becomes 'dev.splunk.com/$row.can_click_but_forward_slashes_replaced$' instead of 'dev.splunk.com/view/webframework-codeexamples/SP-CAAAEVU'.

According to the documentation, the token filter '|u' is applied by default for all 'link' values.
Do you know if there is a way I can disable the '|u' token filter?

Thank you.

0 Karma

niketn
Legend

I tried the following and it worked fine for me. Similar to the example you have provided.

    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval can_click="dev.splunk.com"
| eval cannot_click = "dev.splunk.com/view/webframework-codeexamples/SP-CAAAEVU"
| eval can_click_but_forward_slashes_replaced = "view/webframework-codeexamples/SP-CAAAEVU"
| eval with_cdata__cannot_click = "dev.splunk.com/view/webframework-codeexamples/SP-CAAAEVU"
| eval with_cdata__can_click_but_forward_slashes_replaced = "view/webframework-codeexamples/SP-CAAAEVU"
| table can_click, cannot_click, can_click_but_forward_slashes_replaced, with_cdata__cannot_click, with_cdata__can_click_but_forward_slashes_replaced</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <drilldown>
           <condition field="can_click">
               <link>http://$row.can_click$</link>
           </condition>
           <condition field="cannot_click">
               <link>http://$row.cannot_click|n$</link>
           </condition>
           <condition field="can_click_but_forward_slashes_replaced">
               <link>http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$</link>
           </condition>
           <condition field="with_cdata__cannot_click">
               <link><![CDATA[http://$row.cannot_click|n$]]></link>
           </condition>
           <condition field="with_cdata__can_click_but_forward_slashes_replaced">
               <link><![CDATA[http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced|n$]]></link>
           </condition>          
        </drilldown>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@enexwhy is your issue solved. Were you able to run the test code I have attached?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

enexwhy
Explorer

No, it does not work for me.
This is the resulting URL that I get when I click on 'cannot_click': http://%24row.cannot_click%7Cn%24/

Also, trying to use 'makeresults' results in an 'invalid command' error for me.
It shows that you are using a newer version of Splunk. Mine is v6.2, and maybe that's why we are seeing different outcomes.

Thank you for your reply anyway.

0 Karma

niketn
Legend

@enexwhy... Since you are on version 6.2, can you also check creating html panel below table and see if link generated is clickable. Splunk 6.x Dashboard Example App shows Dynamic Drilldown Examples which are also available in 6.2. Can you please try getting the App and see if you find something that works for you?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

enexwhy
Explorer

I converted the XML to HTML.
This was part of the code:

} else if (e.field === "with_cdata__can_click_but_forward_slashes_replaced") {
e.preventDefault();
var url = TokenUtils.replaceTokenNames("http://dev.splunk.com/$row.can_click_but_forward_slashes_replaced$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'));
utils.redirect(url, false, "_blank");
}

The problem is "TokenUtils.getEscaper('url')". By removing that, the forward slashes no longer get replaced and the URL works as it should.

However, there is no equivalent solution in XML.

0 Karma

niketn
Legend

HTML Panels are different than HTML Dashboards. What I was requesting was to create HTML Panels with anchor tags instead of links and use then as URL Encoded links. Nevertheless, easier or the hard way, I am glad you are able to somehow make it work.

Upgrading to newer instance of Splunk will also fix the same as the Simple XML dashboard is working fine for me in 6.5. Sooner or later things will be easier with latest version.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

enexwhy
Explorer

Hi, I now have access to a Splunk instance that is version 6.5+, and can finally verify that your answer was correct. I have accepted it; thanks for the help!

0 Karma

niketn
Legend

@enexwhy... glad it worked! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...