Dashboards & Visualizations

Why am I getting this Server Error?

Robert11
Path Finder

I tried to create a dashboard within the Search Function. "Splunk dashboard that displays user searches"

This is on Splunk Enterprise. Currently I am getting ("Server Error") Below is the entered command:

<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Labels (1)
0 Karma

Robert11
Path Finder

@gcuselloI input the code into w3Schools HTML formatter and it shows a fully functioning Splunk dashboard, but when I input into an XML formatter it comes up with the same error in Line 66. "Unenclosed Root Tag" any advice on what may be causing Splunk to not read </form>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Robert11,

at first, in general, never create new dashboards in Search App because then you have to move the dashboard and all knowledge objects in anothe app, it's better to create a new app and develop the new dashboard in this new app.

Then, did you explored the Monitor Console?

Maybe the dashboard you need is already present.

Anyway "Server error" isn't an erro related to the search, do other searches run in your Splunk?

Ciao.

Giuseppe

Robert11
Path Finder

@gcuselloI went to create dashboard app and when I input the above code it now kicks back "Error on Line 66:Unclosed root tag" The error is coming from </form> at the very bottom.

Below Code:

<dashboard>
<label>User Searches</label>
<description>Displays Splunk User Searches</description>
<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Robert11,

I don't see anything strange, as I said, try to use the UI -- Edit Search button so you don't have any problem of chars.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...