Dashboards & Visualizations

How can I include greater/less than signs in a search in my app's simple xml view

Glenn
Builder

I'm trying to build a view that has a bunch of charts on it. I thought that finally I had something that the simple xml might be able to handle, but I'm again having trouble.

The problem comes from the fact that my search uses rex to extract a number of fields. rex syntax uses greater- and less-than signs, which Splunk doesn't appear to like.

When I try to update the xml in the manager (as per below), it gives an error "Encountered the following error while trying to update: In handler 'views': Not valid XML:"

Is there a way I can get around this? Is it a bug?

<?xml version='1.0' encoding='utf-8'?> <dashboard> <label>Order statistics from Oracle</label> <row> <chart> <searchString>sourcetype=ORAExtendedOrderHistory* | rex "(?<sample_date>.*?),(?<channel>\w*),(?<booking_system>\w*),(?<Orders>\d*),(?<StopAndLimit>\d*),(?<WorkingOrder>\d*),(?<TotalOrders>\d*),(?<avgRoundTrip>\d*),(?<minRoundTrip>\d*),(?<maxRoundTrip>\d*),(?<avgWeblogic>\d*),(?<minWebLogic>\d*),(?<maxWeblogic>\d*),(?<avgBookingSystem>\d*),(?<minBookingSystem>\d*),(?<maxBookingSystem>\d*)" | search channel=WEB OR channel=MOBILE OR channel=L23G OR channel=iPhone | timechart span=1m sum(TotalOrders) by channel</searchString> <earliestTime>-5h</earliestTime> <option name="charting.chart">area</option> <option name="charting.chartTitle">Total number of Orders</option> <option name="charting.primaryAxisTitle.text">Time</option> <option name="charting.secondaryAxisTitle.text">Order count</option> </chart> </row> </dashboard>

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You need to encode it to be considered completely valid XML. This means either enclosing text in a CDATA

<![CDATA[questionalble text that includes < and > and & characters]]>

or XML-encoding it, which, if you want to be guaranteed to avoid problems, means encoding

< as &lt;
> as &gt;
& as &amp;
" as &quot;

Most XML parsers will tolerate some of these characters in some data, but not always and not conistently from parser to parser.

View solution in original post

marceloalejandr
Path Finder

Please disregard this post.  I found the issue.  The CDATA syntax needed the opening and closing <>. 
| rex <![CDATA["Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"]]>

0 Karma

marceloalejandr
Path Finder

One item to note, when trying to use CDATA as in the example below, the error message changes to "Unexpected close tag".
| rex "Member:\s+\w+\s\w+:.*\\\[CDATA[(?<TargetAccount>.*)]]"

0 Karma

rkanalyst
Explorer

The best way to handle similar kind of special character issue is by using Macro in splunk.
Follow the link
Manager » Advanced search >>New Macro

You can find the manager listed at top right corner of your splunk search window.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You need to encode it to be considered completely valid XML. This means either enclosing text in a CDATA

<![CDATA[questionalble text that includes < and > and & characters]]>

or XML-encoding it, which, if you want to be guaranteed to avoid problems, means encoding

< as &lt;
> as &gt;
& as &amp;
" as &quot;

Most XML parsers will tolerate some of these characters in some data, but not always and not conistently from parser to parser.

Glenn
Builder

I tried the CDATA option at least, as it was less work than converting each character, and it works fine. Thanks!

0 Karma

V_at_Splunk
Splunk Employee
Splunk Employee

Try    &gt;   (which is ">") and    &lt;   (which is "<").

0 Karma

marceloalejandr
Path Finder

Greetings, 

Found this post which is similar to the issue we're experiencing in a Dashboard that contains regex/rex.   We've tried the [CDATA] option and replacing <> with &gt and &lt.   However we're still getting the "Invalid character entity" in the Dashboard.   There are the 2 similar rex lines and I think we can get the first line resolved we can resolve the other.  Here is the Dashboard rex line:  

| rex "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"

What's need to get rex working in Dashboards?   Appreciate any insight and/or feedback.  

0 Karma

lindonmorris
Explorer

I found this post looking for how to get HTML into an alert email, I realise it's an old question but in case it helps anyone:

 

The SPL:

| makeresults
| eval rexfield="Member: something else: abcde12345 \myaccountname"
| rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"

 

Translates to XML:

<query>
| makeresults
| eval rexfield="Member: something else: abcde12345 \myaccountname"
| rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?&lt;TargetAccount&gt;.*)"
</query>

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...