Hello,
I'm running the following search out of an Advanced XML dashboard in Splunk 4.3, build 115073.
index=winevents Type=Error OR Type=Warning SourceName="Application Error" EventCode=1000 | rex field=Message "Faulting application name: (?<Application>[\w\.]*)" | stats count(Application) as Faults by host,Application | sort -Faults
It works fine when run directly from the search app, but when I copy it into a HiddenSearch in Splunk's XML editor, the editor highlights the terminating param, module, and view tags in red and won't let me save the dashboard. The message is "Encountered the following error while trying to update: In handle 'views': Not valid XML."
The problem is the Application tag and its surrounding angle brackets in the rex section. If I remove the tag, the XML becomes valid again, but then the rex syntax is broken. If I modify the search code to use the HTML entities for the brackets, the dashboard works. I believe it's an XML editor bug to flag this as invalid syntax since I'm clearly not changing the XML tags. Can the syntax checker be made smarter so that it ignores everything within a tag?
To be valid XML in the view, you must XML escape it. You can do this character by character or using CDATA.
To do this character by character, replace <
with <
and >
with >
. You also have to escape "
, '
and &
, with "
, '
and &
respectively.
To use CDATA, wrap the whole search with: <![CDATA[
and ]]>
.
To be valid XML in the view, you must XML escape it. You can do this character by character or using CDATA.
To do this character by character, replace <
with <
and >
with >
. You also have to escape "
, '
and &
, with "
, '
and &
respectively.
To use CDATA, wrap the whole search with: <![CDATA[
and ]]>
.
I figured out the & lt; substitution halfway through writing my question, so I was more curious about why the editor was unhappy. I didn't realize this was a limitation of XML parsing in general. Thanks for the reply.