Searchtemplate on a form for a dashboard and eval

asarolkar · ‎01-04-2013

I get the following error when I try to use "eval" inside my searchTemplate for an interactive dashboard that I am building.

Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 13: StartTag: invalid element name

< form >

< searchtemplate >

sourcetype="syslog" | ... |
eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | timechart ... | eval ...

< /searchtemplate >

< /form>

Anybody know what would cause that exception to be thrown as soon as I try to add the first eval ?

Does < searchTemplate > not like an eval ?

Thanks

sideview · ‎01-04-2013

< and > are special characters in XML, so you have to escape them.

You can either replace your < characters with < and your > characters with >

or you can wrap the entire contents of the element in what is called a CDATA block, such that the entire block looks like this:

<searchtemplate><![CDATA[

sourcetype="syslog" | ... | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | timechart ... | eval ...
]]>

Searchtemplate on a form for a dashboard and eval

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Searchtemplate on a form for a dashboard and eval

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases