Why am I getting this Server Error?

Robert11 · ‎05-31-2022

I tried to create a dashboard within the Search Function. "Splunk dashboard that displays user searches"

This is on Splunk Enterprise. Currently I am getting ("Server Error") Below is the entered command:

<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Robert11 · ‎05-31-2022

@gcuselloI input the code into w3Schools HTML formatter and it shows a fully functioning Splunk dashboard, but when I input into an XML formatter it comes up with the same error in Line 66. "Unenclosed Root Tag" any advice on what may be causing Splunk to not read </form>

gcusello · ‎05-31-2022

Hi @Robert11,

at first, in general, never create new dashboards in Search App because then you have to move the dashboard and all knowledge objects in anothe app, it's better to create a new app and develop the new dashboard in this new app.

Then, did you explored the Monitor Console?

Maybe the dashboard you need is already present.

Anyway "Server error" isn't an erro related to the search, do other searches run in your Splunk?

Ciao.

Giuseppe

Robert11 · ‎05-31-2022

@gcuselloI went to create dashboard app and when I input the above code it now kicks back "Error on Line 66:Unclosed root tag" The error is coming from </form> at the very bottom.

Below Code:

<dashboard>
<label>User Searches</label>
<description>Displays Splunk User Searches</description>
<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

gcusello · ‎05-31-2022

Hi @Robert11,

I don't see anything strange, as I said, try to use the UI -- Edit Search button so you don't have any problem of chars.

Ciao.

Giuseppe

Why am I getting this Server Error?

Dashboard Studio

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...