I'm trying to build a view that has a bunch of charts on it. I thought that finally I had something that the simple xml might be able to handle, but I'm again having trouble.
The problem comes from the fact that my search uses rex to extract a number of fields. rex syntax uses greater- and less-than signs, which Splunk doesn't appear to like.
When I try to update the xml in the manager (as per below), it gives an error "Encountered the following error while trying to update: In handler 'views': Not valid XML:"
Is there a way I can get around this? Is it a bug?
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Order statistics from Oracle</label>
<row>
<chart>
<searchString>sourcetype=ORAExtendedOrderHistory* | rex "(?<sample_date>.*?),(?<channel>\w*),(?<booking_system>\w*),(?<Orders>\d*),(?<StopAndLimit>\d*),(?<WorkingOrder>\d*),(?<TotalOrders>\d*),(?<avgRoundTrip>\d*),(?<minRoundTrip>\d*),(?<maxRoundTrip>\d*),(?<avgWeblogic>\d*),(?<minWebLogic>\d*),(?<maxWeblogic>\d*),(?<avgBookingSystem>\d*),(?<minBookingSystem>\d*),(?<maxBookingSystem>\d*)" | search channel=WEB OR channel=MOBILE OR channel=L23G OR channel=iPhone | timechart span=1m sum(TotalOrders) by channel</searchString>
<earliestTime>-5h</earliestTime>
<option name="charting.chart">area</option>
<option name="charting.chartTitle">Total number of Orders</option>
<option name="charting.primaryAxisTitle.text">Time</option>
<option name="charting.secondaryAxisTitle.text">Order count</option>
</chart>
</row>
</dashboard>
You need to encode it to be considered completely valid XML. This means either enclosing text in a CDATA
<![CDATA[questionalble text that includes < and > and & characters]]>
or XML-encoding it, which, if you want to be guaranteed to avoid problems, means encoding
< as <
> as >
& as &
" as "
Most XML parsers will tolerate some of these characters in some data, but not always and not conistently from parser to parser.
Please disregard this post. I found the issue. The CDATA syntax needed the opening and closing <>.
| rex <![CDATA["Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"]]>
One item to note, when trying to use CDATA as in the example below, the error message changes to "Unexpected close tag".
| rex "Member:\s+\w+\s\w+:.*\\\[CDATA[(?<TargetAccount>.*)]]"
The best way to handle similar kind of special character issue is by using Macro in splunk.
Follow the link
Manager » Advanced search >>New Macro
You can find the manager listed at top right corner of your splunk search window.
You need to encode it to be considered completely valid XML. This means either enclosing text in a CDATA
<![CDATA[questionalble text that includes < and > and & characters]]>
or XML-encoding it, which, if you want to be guaranteed to avoid problems, means encoding
< as <
> as >
& as &
" as "
Most XML parsers will tolerate some of these characters in some data, but not always and not conistently from parser to parser.
I tried the CDATA option at least, as it was less work than converting each character, and it works fine. Thanks!
Try >
(which is ">
") and <
(which is "<
").
Greetings,
Found this post which is similar to the issue we're experiencing in a Dashboard that contains regex/rex. We've tried the [CDATA] option and replacing <> with > and <. However we're still getting the "Invalid character entity" in the Dashboard. There are the 2 similar rex lines and I think we can get the first line resolved we can resolve the other. Here is the Dashboard rex line:
| rex "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"
What's need to get rex working in Dashboards? Appreciate any insight and/or feedback.
I found this post looking for how to get HTML into an alert email, I realise it's an old question but in case it helps anyone:
The SPL:
| makeresults
| eval rexfield="Member: something else: abcde12345 \myaccountname"
| rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"
Translates to XML:
<query>
| makeresults
| eval rexfield="Member: something else: abcde12345 \myaccountname"
| rex field=rexfield "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)"
</query>