Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does my drilldown with the rex command ret...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damucka
Builder
11-27-2018
06:00 AM
Hello,
I have the following drilldown in my dashboard panel:
<link target="_blank"><![CDATA[search?q=index=mlbso sourcetype=$SYSID$_hanatraces earliest=$earliesttime$ latest=$latesttime$ [search index=mlbso sourcetype=$SYSID$_hanatraces "ALTER SYSTEM ALTER CONFIGURATION" earliest=$earliesttime$ latest=$latesttime$ | rex field=_raw "(?i)(?<=configuration is changed by )(?P<CONNECTION_ID>(?s)(.*))(?=, client ip)" | return $CONNECTION_ID]]]></link>
When I execute it, I get the following search string presented and an "Unbalanced quotes" error:
index=mlbso sourcetype=BWP_hanatraces earliest=1543313122.531 latest=1543313122.537 [search index=mlbso sourcetype=BWP_hanatraces "ALTER SYSTEM ALTER CONFIGURATION" earliest=1543313122.531 latest=1543313122.537 | rex field=_raw "(
How would I overcome this issue?
Kind Regards,
Kamil
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MathiasLindblom
Path Finder
11-27-2018
06:33 AM
Hi, seems like the question mark is messing things up, replace all the question marks with %3F:
<link target="_blank"> <![CDATA[search?q=index=mlbso sourcetype=$SYSID$_hanatraces earliest=$earliesttime$ latest=$latesttime$ [search index=mlbso sourcetype=$SYSID$_hanatraces "ALTER SYSTEM ALTER CONFIGURATION" earliest=$earliesttime$ latest=$latesttime$ | rex field=_raw "(%3Fi)(%3F<=configuration is changed by )(%3FP<CONNECTION_ID>(%3Fs)(.*))(%3F=, client ip)" | return $CONNECTION_ID]]]></link>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MathiasLindblom
Path Finder
11-27-2018
06:33 AM
Hi, seems like the question mark is messing things up, replace all the question marks with %3F:
<link target="_blank"> <![CDATA[search?q=index=mlbso sourcetype=$SYSID$_hanatraces earliest=$earliesttime$ latest=$latesttime$ [search index=mlbso sourcetype=$SYSID$_hanatraces "ALTER SYSTEM ALTER CONFIGURATION" earliest=$earliesttime$ latest=$latesttime$ | rex field=_raw "(%3Fi)(%3F<=configuration is changed by )(%3FP<CONNECTION_ID>(%3Fs)(.*))(%3F=, client ip)" | return $CONNECTION_ID]]]></link>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damucka
Builder
11-27-2018
06:55 AM
Thank you, it works.
Get Updates on the Splunk Community!
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
