topic Re: xml problem, can't get right results.... in Dashboards & Visualizations

xml problem, can't get right results....

riderofyamaha — Wed, 07 Jul 2010 01:41:04 GMT

I'm having a problem with getting simple xml working on a form search that is meant to be used searching for a username or specific ip address. The search should be used to find out certain attributes and group them in a table like pool ip, time, host etc. This should be fairly straight forward but im having problems with the searches not bringing back complete results and sometimes just showing the host and time in the results table. the xml so far is as follows, im sure there is something that im over looking though...

 <form> <label>Search ME</label> <searchTemplate>(host=cvpn00bay-inside.bay.cbeyond.net)       

 $SearchHere$ | fields + host, username, ip, _time, vpn_poolip </searchTemplate> <earliestTime>-     
 30d</earliestTime> <latestTime>-0d</latestTime> <html> Enter a sourcetype in the field below 

 and this view will pull back the most recent 100 events from the metrics log concerning that 

 sourcetype. </html> <fieldset> <input token="SearchHere" /> </fieldset> <row> <table> 

 <title>activity</title> <option name="count">50</option> </table> </row> <fields>_raw</fields> 

 </form>



 suggestions?

Re: xml problem, can't get right results....

sideview — Wed, 07 Jul 2010 01:59:05 GMT

the <fields>_raw</fields> at the end isnt doing anything and should be removed.

Also fyi fields + foo as of 4.0 is deprecated and does the exact same thing as fields foo. There used to be a difference but it's gone now so you might as well use the shorter syntax.

And im not sure why you're getting the inconsistent behaviour but you might try putting this into the <table>:

<fields>host, username, ip, _time, vpn_poolip</fields>

And I think if you have that in there you wont need the fields clause anymore at all in the search.

However what you have should work I think. Its possible the table has maybe started sneaking in its own default and that's inadvertently filtering out the fields you want...

Re: xml problem, can't get right results....

Lowell — Wed, 07 Jul 2010 02:00:18 GMT

Seems like there are a couple of tags in the wrong place. Specifically <html> and <fields>, but there could still be other problems. But I think this is a step in the right direction for you:

<?xml version="1.0"?>
<form>
  <label>Search ME</label>
  <searchTemplate>(host=cvpn00bay-inside.bay.cbeyond.net) $SearchHere$ | fields + host, username, ip, _time, vpn_poolip</searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>
  <fieldset>
    <input token="SearchHere"/>
  </fieldset>
  <row>
    <html>
    Enter a sourcetype in the field below and this view will pull back the most
    recent 100 events from the metrics log concerning that sourcetype.
    </html>
  </row>
  <row>
    <table>
      <title>activity</title>
      <option name="count">50</option>
      <fields>_raw</fields>
    </table>
  </row>
</form>

Re: xml problem, can't get right results....

Lowell — Wed, 07 Jul 2010 02:04:42 GMT

What's the different between <fields> and <options name="fields">?

Re: xml problem, can't get right results....

riderofyamaha — Wed, 07 Jul 2010 02:30:29 GMT

thank you very much lowell and nick for your fast responses, ill give this a try and check back here

Re: xml problem, can't get right results....

sideview — Wed, 07 Jul 2010 06:42:48 GMT

Good point. The difference is you are correct, and i am mistaken. 😃 I work here and even I cant keep the vs vs thing straight. Thanks.