Splunk Search

bad automatic SPL rewrite in 8.2.0 search if a field contains a relative file path


Hi Splunk experts,

I believe I found a bug in Splunk search.

Some fields in my events contain file paths with relative parts denoted by "../".

When I use Splunk search to list events with a specific path, the SPL is automatically rewritten and the "../" in the middle of the path is removed (thereby changing my search) resulting in no matching events found.

I cannot get Splunk search to filter by the literal string value I specify, even though it is surrounded by double quotes.

Example SPL:

Is automatically rewritten to:


Some facts:

- This behavior started after I upgraded to Splunk 8.2.0 and cannot be reproduced on 7.3.2.

- If I build the SPL within my dashboard (using tokens) then this automatic rewrite does not happen, hence the events are found. But as soon as I jump to Splunk search from the dashboard (through the looking glass symbol) the SPL gets rewritten and the  "../" removed.

- This automatic rewrite also happens if I let Splunk search itself compose the SPL: first view all events in Splunk search, and then filter on a file_name value through the field list on the left. The result is that no events are shown, as the resulting SPL is incorrect (see screenshots).


Screenshots of the problem:

- screenshot 1: events are shown in Splunk search, the field list on the left shows the occurring values for the file_name field. Now I click on a value to search for that specific file_name (note the ../ underlined in red)


- screenshot 2: Splunk search amends the file_name filter to the SPL, but it modifies the field value to omit the ../ part (again underlined in red)



Has anyone else encountered this problem, and/or has a remedy?


Thank you in advance,


Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.