By Splunk November 08, 2011
Recently, we released the Splunk App for Microsoft Exchange, which allows you to get all sorts of visibility from your Exchange 2007 or 2010 environment, covering Security, Operations, Help Desk, Client Behavior and Capacity Planning use cases. Quite simply, I believe it’s the most comprehensive view of your Exchange system you’ll likely see.
As the Solutions Architect responsible for the app, and as is typically the case in the development of any app, there were a few hurdles to overcome, and these become lessons learned for future apps.
One of these was the case of the de-quoted backslash. Windows environments do not use the backslash for quoting but the rest of the world does. Windows puts it to a different use – the directory separator. Splunk does a good job of handling quoting and de-quoting automatically, although you still need to be careful to quote backslashes in the search language. Splunk needs to get a little hint in the search language.
Let’s say you create a dashboard using Advanced XML that has a form element in which you can enter a database name. The database names from Exchange have backslashes in them. You then use this form element to search for some information on that database name using a macro. All of a sudden, the dashboard doesn’t work. Let’s take a look. I have a test dashboard in Advanced XML that has the following form search in it:
<module name="ExtendedFieldSearch" layoutPanel="mainSearchControls"> <param name="field">db</param> <param name="intention"> <param name="name">stringreplace</param> <param name="arg"> <param name="db"> <param name="fillOnEmpty">True</param> <param name="value"></param> </param> </param> </param> <param name="replacementMap"> <param name="arg"> <param name="db"> <param name="value"></param> </param> </param> </param> <module name="HiddenSearch"> <param name="search">`get-db-stats($db$)`</param> <module name="SimpleResultsTable"></module> </module> </module>
We also need to define the get-db-stats macro, we create a macros.conf with the definition in it:
[get-db-stats(1)] args=db definition = eventttype=msexchange-database-stats Database="$db$"|dedup Database|table Database,MasterType,Status
When we call this and enter one of our database names with the backslash in it, we get no results even if we do the quoting of the backslash in the form box. The problem is evident when we look at the search through the Search Inspector:
When de-quoting causes problems...
The problem is that the get-db-stats macro call automatically de-quotes the input. Normally this is the right thing to do. However, if your database form element is expected to include a backslash, the input gets de-quoted, resulting in the wrong search. We need to prevent the de-quoting operation.
Thanks to Stevey Z. in Splunk Engineering, I now know about a little overlooked method of doing exactly this when using a macro. Double up the parentheses in your macro call to prevent de-quoting. Thus, in your Hidden Search module above, use the following:
`get-db-stats(($db$))`
Once we make this simple change, the dashboard starts working the way we want it to, as can be seen below.
Of course, you should not use this when you are relying on that de-quoting happening, but this is definitely a useful tool in my bag of tricks as we develop more Windows-based Splunk Apps.