I have a Splunk alert configured to send Hipchat notifications. My goal is to have a link in the search to go on a dashboard prefilled with elements from the alert.
Here is the search of my alert:
index=myindex earliest=-2m@m latest=@m | where match(Subject, "(..........)") | stats count by Subject | where count > 100
Where the index contains "kind of" email logs and Subject is an email Subject.
In the alert configuration, I send a Hipchat notification using the "Subject" field :
<p><strong>Alert: Possible spam detected</strong> - <a href="https://mysplunkurl.com/en-US/app/myapp/myform?form.Field=Subject&form.Value=$result.Subject$>View details</a></p>
<p> $result.count$ ex. / Subject: $result.Subject$</p>
However, the "Subject" field can contains special characters, such as "'()%& ...
In that case, the link might be broken, or the browser might trigger an alert because it thinks I have a SQL injection or XSS attack.
So, I would like to encode the URL in a way that it will be opened by a browser 100% of the time. I saw there is a urldecode() function, but no urlencode()
Using replace() for each special character does not feel to be the right solution.
How do you (or would you) handle that?
... View more