Solved: How to use CDATA in a search where the value conta...

kragel · ‎04-04-2014

I have a variable with an equals sign in it and I want to search on it. The equals sign seems to mess up the search. If I paste it in a CDATA string it doesn't seem to read the string either. If I manually put quotes around the actual value and use Search it works fine.

<module name="Search">
  <param name="search">$row.fields.pp_msgid$</param>
</modlue>

row.fields.pp_msgid=CAELFq+=4VHzpb97vrxLCwY2bqe5MM-P7BHMuCgz9CQ3zcQz_Pg@subdomain.domain.com

I tried the following but was unsuccessful.

<module name="Search">
  <param name="search"><![CDATA[$row.fields.pp_msgid$]]></param>
</module>

Can anyone suggest a way to search on the entire string? Or if I'm missing something with my CDATA line, can you help me out? Thanks.

sideview · ‎04-04-2014

I'm pretty sure you just want

<module name="Search">
  <param name="search">"$row.fields.pp_msgid$"</param>
</module>

You don't need to mess around with CDATA - that's actually for xml-unsafe characters in the param string, not for characters in the evaluated $foo$ token.

View solution in original post

sideview · ‎04-04-2014

I'm pretty sure you just want

<module name="Search">
  <param name="search">"$row.fields.pp_msgid$"</param>
</module>

You don't need to mess around with CDATA - that's actually for xml-unsafe characters in the param string, not for characters in the evaluated $foo$ token.

kragel · ‎04-04-2014

Thanks!!!! That worked.

How to use CDATA in a search where the value contains an equals sign

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?