Dashboards & Visualizations

Editing the dashboard source XML for a conditional count search, why am I getting error "StartTag: invalid element name"?

dan_pudwell
Explorer

I am trying to count events where a field is in between a couple of ranges.
My field is detail.id which has the following format -> A1234567B

First thing I do is substring out the digits, then check if the digits are in certain ranges, and then count them.

baseSearch | eval id=substr(detail.id,2,7) | eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0) | stats sum(ps_id) as count

I am editing the source xml for a dashboard so when I try and save this, I get the following error:

Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 77: StartTag: invalid element name

This seems to be something with the < since when I take it out, I can save it, but the search, however, doesn't work.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Within XML, in any literals or eval-type code, you have to encode the < and > in order for the system not to think you are writing XML tags. (And the commas in the number is a problem also.)

so, ...

| eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0)  

... should be written as ...

| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)  
0 Karma

ddrillic
Ultra Champion

The commas in 2,704,999 break the eval command. The following test command worked -

baseSearch
| eval detailid="A1234567B"
| eval id=substr(detailid,2,7)
| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)

0 Karma

dan_pudwell
Explorer

I probably should have updated that without the comments. Now I can't as my reputation is too low.
The stats sum(ps_id) as count however returns 0?
Also still getting the error when editing the source of the dashboard?

0 Karma

ddrillic
Ultra Champion

b/c ps_id is 0 ....

0 Karma

dan_pudwell
Explorer

but in my test data it shouldn't be

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...