topic Re: Search query is not fully resolved when using a "$" in a in Splunk Search

Search query is not fully resolved when using a "$" in a

ndcl — Mon, 28 Sep 2020 15:28:07 GMT

Hi Base,

i´m encouter a problem when creating a dashboard with simple xml. I want to select a couple of events with a large eventselection pharse:

sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")

when I put this in an simple xml element f.e. chart or table I get the error Search query is not fully resolved. When I put this into the search view everything works fine. When I remove the "$" the search also works in sxml.

Do anyone know whats going on here?

Thanks

Re: Search query is not fully resolved when using a "$" in a

amit_saxena — Mon, 28 Sep 2020 15:28:10 GMT

Hi,

Try incorporating the search in "CDATA" ( as shown below ) and let us know if it works or not.

<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

Regards,
Amit Saxena

Re: Search query is not fully resolved when using a "$" in a

amit_saxena — Mon, 28 Sep 2020 15:28:13 GMT

Use like this
<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

Re: Search query is not fully resolved when using a "$" in a

ndcl — Thu, 12 Dec 2013 12:57:28 GMT

it does not work even with CDATA...

If I use the above example I get the following error: No search query provided.

Re: Search query is not fully resolved when using a "$" in a

aelliott — Thu, 12 Dec 2013 15:34:26 GMT

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

Re: Search query is not fully resolved when using a "$" in a

ndcl — Thu, 12 Dec 2013 18:12:34 GMT

you are right when I remove or replace the $ then it works. I also thought it is related to the token bug, but in this search, I do not use tokens. In another search, I use tokens very early in the selection part and one after in a sub search. This search results in the same error. The part between them looks similar to the sample above. When I remove the second token, the search works. Maybe it has something to do with the amount of brackets I use in the search… one is ok. If I use 2 then the search fail when I user a “$” no matter if I use tokens or not.

Re: Search query is not fully resolved when using a "$" in a

ndcl — Thu, 12 Dec 2013 18:31:31 GMT

btw: If I make this search to a seaved search and use it in sxml the search also works...

Re: Search query is not fully resolved when using a "$" in a

aelliott — Thu, 12 Dec 2013 20:47:18 GMT

I guess someone attempted 2 dollar signs back to back will work everywhere $$
http://answers.splunk.com/answers/60771/escaping-in-sideview-search-module

Re: Search query is not fully resolved when using a "$" in a

ndcl — Mon, 20 Jan 2014 14:25:20 GMT

yep, escaping in simple xml works, but you have to "unescape" if you use it outside sxml...

Thanks!!