Hi I am trying to create a Splunk CLI tool , that CLI reads the TOML config and get the search string. the search string contains double quotes (") and when rust reads it, it adds escape characters to it like (\") as expected.
now the real problem is that when i used this string with escapes characters it give me error as Splunk Search does not support escape characters in eval commands.
is there a way i can remove escape sequence from string before passing it to Splunk API ?
PS C:\kumar\Rust\rust_projects\splunkcli> cargo run -- -f C:\kumar\Rust\rust_projects\splunkcli\search.toml
Compiling splunkcli v0.2.0 (C:\kumar\Rust\rust_projects\splunkcli)
Finished dev [unoptimized + debuginfo] target(s) in 7.32s
Running `target\debug\splunkcli.exe -f C:\kumar\Rust\rust_projects\splunkcli\search.toml`
[2021-08-21T19:51:14Z INFO splunkcli] search file name: Some("C:\\kumar\\Rust\\rust_projects\\splunkcli\\search.toml")
[2021-08-21T19:51:14Z INFO splunkcli] Search query is: "index=\"my_index\" source=apache* earliest=-1h@h latest=@h | eval alert_name = host+\"_\"+source"
[2021-08-21T19:51:16Z INFO splunkcli::splunk] Search request status code is : 201 Created
[2021-08-21T19:51:16Z INFO splunkcli] Search SID is: 1629575475.684825_ED51B6CA-996E-4498-AF35-DBCF822DB2BE
[2021-08-21T19:51:16Z INFO splunkcli::splunk] Search request status is: false
[2021-08-21T19:51:27Z INFO splunkcli] Search sacn count is: 0
[2021-08-21T19:51:27Z INFO splunkcli] Search event count is: 0
[2021-08-21T19:51:27Z INFO splunkcli] Search result count is: 0
[2021-08-21T19:51:27Z INFO splunkcli] Search run duration is: 0.004
[2021-08-21T19:51:28Z INFO splunkcli::splunk] Status code for search result is : 400 Bad Request
Err(
CustomStatusCode {
status_code: "400",
msg: "{\"messages\":[{\"type\":\"FATAL\",\"text\":\"Error in 'eval' command: The expression is malformed.\"}]}",
},
)
It looks like you're printing using the debug representation, which will include escape characters, but the strings shouldn't actually contain any. For example
let s = "\"string\" with escapes";
println!("{}", s);
println!("{:?}", s);
will print
"string" with escapes
"\"string\" with escapes"
If you print out the search string using something like
println!("{}", config.searches[0]);
does it still contain the slashes? If not, there's probably some other issue with the string or how you're passing it forwards. If you're not familiar with the difference between {}, {:?} and such, you can find more info on formatting in the std::fmt docs.
Ok, I got the issue. basically the search query is fine. but when it send the post request to Splunk servers, the splunk servers receive the query without (+) sign in eval expression as shown below:
I'm guessing you need to url encode the body to make sure special characters get through. Try running the string through urlencoding::encode from https://crates.io/crates/urlencoding before sending it. If that doesn't work you may need to look at splunk's docs to see what could be going wrong.