Dashboards & Visualizations

splunk 8 - special character in drilldown search

krispyswitch
Loves-to-Learn

Hi -

I'm struggling with a problem occurring in a drilldown search used in a dashboard panel. On Splunk 7.21, the drilldown works fine; Splunk 8 gives the following error: Invalid earliest time.

I narrowed down the issue to an eval statement in the drilldown - |eval k=mvfilter(match(t, ",1$")) - to match a field that ends with ,1. the issue seems to be with the $. I've tried replacing the $ with %24, %2524, replacing double quotes with single quotes and protecting the $ with a backslash (out of desperation). This all fails - well, the %2524 works once, then will fail with the "Invalid earliest time" error on subsequent executions. When i check the drilldown, splunk has translated %2524 to %$.

Does anyone have any guidance/help to offer?

Thank you!

0 Karma
1 Solution

manjunathmeti
Champion

Prefix $ with another dollar sign.

|eval k=mvfilter(match(t, ",1$$"))

View solution in original post

0 Karma

manjunathmeti
Champion

Prefix $ with another dollar sign.

|eval k=mvfilter(match(t, ",1$$"))
0 Karma

krispyswitch
Loves-to-Learn

Thank you manjunathmeti. Your solution works.

Any thoughts on how to stop splunk 8 from translating hex values? Observing how splunk translated %2524 to %: had us test another search that contains regex to find urls containing %3A, %2F. a snippet of the drilldown regex - https((%253A)|(:))((%252F)|(\/)) In 7.21, the drilldown works - in the browser bar this appears as https((%3A)|(:))((%2F)|(\/)).

splunk 8 translates to https((:)|(:))((/)|(\/)) - any urls in our logs containing %3A, %2F are ignored.

Thanks!

0 Karma

manjunathmeti
Champion

Same with %. Prefix it with another % symbol.

0 Karma

krispyswitch
Loves-to-Learn

Thanks for the follow up. The %% didn't work - possibly because it's in a regex statement within the drilldown? both %%3A and %25%253A were tried.

the working regex (7.21) is set up to match url:port - | regex _raw="https((%253A)|(:))((%252F)|(\/))((%252F)|(\/))([a-zA-Z0-9.]%2B)((%253A)|(:))(\d%2B)"

On 8, splunk translates %253A to :, %252F to /, but 8 also completely ignores the + (%2B) - no matter if it's a hard coded +, ++, +, %2B or %252B. when the drilldown executes, the regex in the search window looks like:

regex _raw="https((:)|(:))(()|(\/))(()|(\/))([a-zA-Z0-9.] )((:)|(:))(\d )"
(note where the + should be is just a blank space )

or with the %%:

regex _raw="https((%%3A)|(:))((%%2F)|(\/))((%%2F)|(\/))([a-zA-Z0-9.]%%2B)((%%3A)|(:))(\d%%2B)".

Although the initial dashboard panel search shows 6 matches (single value), but the drilldown completely fails and returns 0 results.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...