Dashboards & Visualizations

splunk 8 - special character in drilldown search

krispyswitch
Loves-to-Learn

Hi -

I'm struggling with a problem occurring in a drilldown search used in a dashboard panel. On Splunk 7.21, the drilldown works fine; Splunk 8 gives the following error: Invalid earliest time.

I narrowed down the issue to an eval statement in the drilldown - |eval k=mvfilter(match(t, ",1$")) - to match a field that ends with ,1. the issue seems to be with the $. I've tried replacing the $ with %24, %2524, replacing double quotes with single quotes and protecting the $ with a backslash (out of desperation). This all fails - well, the %2524 works once, then will fail with the "Invalid earliest time" error on subsequent executions. When i check the drilldown, splunk has translated %2524 to %$.

Does anyone have any guidance/help to offer?

Thank you!

0 Karma
1 Solution

manjunathmeti
Champion

Prefix $ with another dollar sign.

|eval k=mvfilter(match(t, ",1$$"))

View solution in original post

0 Karma

manjunathmeti
Champion

Prefix $ with another dollar sign.

|eval k=mvfilter(match(t, ",1$$"))
0 Karma

krispyswitch
Loves-to-Learn

Thank you manjunathmeti. Your solution works.

Any thoughts on how to stop splunk 8 from translating hex values? Observing how splunk translated %2524 to %: had us test another search that contains regex to find urls containing %3A, %2F. a snippet of the drilldown regex - https((%253A)|(:))((%252F)|(\/)) In 7.21, the drilldown works - in the browser bar this appears as https((%3A)|(:))((%2F)|(\/)).

splunk 8 translates to https((:)|(:))((/)|(\/)) - any urls in our logs containing %3A, %2F are ignored.

Thanks!

0 Karma

manjunathmeti
Champion

Same with %. Prefix it with another % symbol.

0 Karma

krispyswitch
Loves-to-Learn

Thanks for the follow up. The %% didn't work - possibly because it's in a regex statement within the drilldown? both %%3A and %25%253A were tried.

the working regex (7.21) is set up to match url:port - | regex _raw="https((%253A)|(:))((%252F)|(\/))((%252F)|(\/))([a-zA-Z0-9.]%2B)((%253A)|(:))(\d%2B)"

On 8, splunk translates %253A to :, %252F to /, but 8 also completely ignores the + (%2B) - no matter if it's a hard coded +, ++, +, %2B or %252B. when the drilldown executes, the regex in the search window looks like:

regex _raw="https((:)|(:))(()|(\/))(()|(\/))([a-zA-Z0-9.] )((:)|(:))(\d )"
(note where the + should be is just a blank space )

or with the %%:

regex _raw="https((%%3A)|(:))((%%2F)|(\/))((%%2F)|(\/))([a-zA-Z0-9.]%%2B)((%%3A)|(:))(\d%%2B)".

Although the initial dashboard panel search shows 6 matches (single value), but the drilldown completely fails and returns 0 results.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...