Dashboards & Visualizations

How to prevent getting an error using brackets < > in a rex expression while creating a dashboard view in XML?

satya2p
Path Finder

I am using a rex expression to filter results for a drop-down created for a dashboard. I'm using xml to develop the dashboard and it seems values under this bracket < > are not allowed for use in xml. While saving the xml, I'm getting the following pop up:

"Encountered the following error while trying to update: In handler "views" error parsing xml on line 140: Premature end of data in tag view line 1"

Please suggest if any other way I can achieve below.

< module name="Search" layoutPanel="panel_row1_col1" autoRun="True" >
< param name="search" >$name$ sourcetype="$server$" $logLevel$ "PhoneNo"
| rex field=_raw "PhoneNo*=(?< PhoneNo >\d{8})+*"
| stats count by name, logLevel, PhoneNo,

0 Karma

dokaas_2
Path Finder

The easiest way I've found is to create a macro of your query. The use the macro in your dashboard query statement. Be sure permissions are properly set.

<query>`your_query`</query>
0 Karma

woodcock
Esteemed Legend

Do Edit -> Source -> CTRL-F then type >, then CTRL-F, then type &gt;, then click the All to the right of Replace. Do the same thing for < but use &lt;. Then click Save.

bwlm
Path Finder

Need to replace the "less than" (<) and "greater than" (>) brackets with the HTML rendering of the same: "& l t ;" and "& g t ;" (but remove the spaces in between the characters).

You can test this by saving any Splunk search with brackets as a dashboard panel, then editing the dashboard to view the XML source. For example, your search string:

| rex field=_raw "PhoneNo*=(?< PhoneNo >\d{8})+*"

when placed in a Splunk XML dashboard becomes:

| rex field=_raw "PhoneNo*=(?%lt;PhoneNo %gt;\d{8})+*"

cjohnk
Explorer

I had to replace less than and greater than signs with the following & l t ; and & g t ; (Without spaces)

(?P & l t ; accountname & g t ; .*)

https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/OverviewofSimplifiedXML

0 Karma

jacobpevans
Motivator

Reference for the future - use the dashboard GUI search editor, then copy and paste from the XML generated for you. It's the easiest way if you have lots of HTML encoded characters.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

yannK
Splunk Employee
Splunk Employee

add a CDATA wrapper around your search.

satya2p
Path Finder

I tried with CDATA, I am not able to extract value which i was getting using rex. If you can pls share syntax for CDATA wrapper.

0 Karma

satya2p
Path Finder

If I am wrapping (PhoneNo=(?< PhoneNo >d{8})+") within CDATA.. the rex search syntax is not working, any suggestions?

0 Karma

lksridhar
Explorer

Hi Satya2p,

have you fixed your issue if you fixed the issue, please provide me the solution to fix the issue and i am facing the same issue and didn't able to find the solution for the same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...