Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search not working in dashboard

crossap
Path Finder
‎05-21-2015 03:52 AM

Hi,

newly created search will not work as part of dashboard

| dbquery "database" "SELECT * FROM new_compliancelist"| stats count(eval(FAILED<1)) as success count as total| eval SANS31 = success/total*100 |fields SANS31 | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.2" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.2] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.3" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.3] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.6" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.6] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.7" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.7] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.10" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.10] | eval SANS3=('SANS31'+'SANS3.2'+'SANS3.3'+'SANS3.10'+'SANS3.7'+'SANS3.6')/6

The error I get when trying to save is

Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 9: StartTag: invalid element name

Lots of the search is showing in RED when added to the dashboard code (but works is pasted into search without the rangemap text)

<search>
<query>| dbquery "database" "SELECT * FROM new_compliancelist"| stats count(eval(FAILED<1)) as success count as total| eval SANS31 = success/total*100 |fields SANS31 | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.2" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.2] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.3" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.3] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.6" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.6] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.7" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.7] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.10" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.10] | eval SANS3=('SANS31'+'SANS3.2'+'SANS3.3'+'SANS3.10'+'SANS3.7'+'SANS3.6')/6 | rangemap field=SANS3 elevated=51-84 low=85-100 severe=0-50 default=none</query>
-15m
now

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

crossap
Path Finder
‎05-21-2015 05:50 AM

Hi,

I managed to get this working by adding

| fields SANS3 just before the | range

thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

crossap
Path Finder
‎05-21-2015 05:50 AM

Hi,

I managed to get this working by adding

| fields SANS3 just before the | range

thanks!

0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-21-2015 04:09 AM

Hi,

Hope this pastes ok as I cant attach a file (karma points)

SANS 20 OVERVIEW

<panel>
  <title>SANS 1</title>
  <single>
    <title>Authorized &amp; Unauthorized Devices</title>
    <search>

| dbquery "database" "SELECT * FROM new_compliancelist"| stats count(eval(FAILED<1)) as success count as total | eval value = success/total*100 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 2

Authorized & Unauthorized Software

| stats count as value | eval value = 0 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 3

Secure Configurations for Hardware & Software

| dbquery "database" "SELECT * FROM new_compliancelist"| stats count(eval(FAILED<1)) as success count as total| eval SANS31 = success/total*100 |fields SANS31 | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.2" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.2] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.3" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.3] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.6" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.6] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.7" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.7] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.10" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.10] | eval SANS3=('SANS31'+'SANS3.2'+'SANS3.3'+'SANS3.10'+'SANS3.7'+'SANS3.6')/6 | rangemap field=SANS3 elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 4

Continuous Vulnerability Assesment

| stats count as value | eval value = 95 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 5

Malware and Anti virus Defenses

| stats count as value | eval value = 95 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information 

<panel>
  <title>SANS 6</title>
  <single>
    <title>Application Software</title>
    <search>

| stats count as value | eval value = 20 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 7

Wireless Access Control

| stats count as value | eval value = 25 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 8

Data Recovery Capability

| stats count as value | eval value = 25 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 9

Secure Skills Assesment

| stats count as value | eval value = 10 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 10

Secure Configurations

| stats count as value | eval value = 10 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information 

<panel>
  <title>SANS 11</title>
  <single>
    <title>Limitation &amp; Control of Network Ports, Protocols</title>
    <search>

| stats count as value | eval value = 25 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 12

Controlled use of Administrative Privileges

| stats count as value | eval value = 60 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 13

Boundary Defense

| stats count as value | eval value = 70 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 14

Monitoring of Logs

| stats count as value | eval value = 20 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 15

Controlled Access based on Need to Know

| stats count as value | eval value = 20 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information 

<panel>
  <title>SANS 16</title>
  <single>
    <title>Account Monitoring &amp; Control</title>
    <search>

| stats count as value | eval value = 25 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 17

Data Protection

| stats count as value | eval value = 30 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 18

Incident Response & Management

| stats count as value | eval value = 25 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 19

Secure Network Engineering

| stats count as value | eval value = 14 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information


SANS 20

Penetration Tests

| stats count as value | eval value = 95 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
-15m
now

range
value
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
search
[0,49,84,100]
[0xd13b3b,0xebe42d,0x7e9f44]
none

Additional Information

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎05-21-2015 04:07 AM

I would imagine your search contains characters that interrupt the xml (I can't pinpoint one exactly though).

Have you tried the second solution from the answer to this question? Basically you just enclose your entire search with

<![CDATA[

before and 

]]>

after.

0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-21-2015 04:28 AM

Hi,

I tried this and the XML is saving now but its only actually doing the first calculation not the entire part

<query><![CDATA[ | dbquery "database" "SELECT * FROM new_compliancelist"| stats count(eval(FAILED<1)) as success count as total| eval SANS31 = success/total*100 |fields SANS31 | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.2" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.2] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.3" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.3] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.6" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.6] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.7" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.7] | join [ | dbquery "database" "SELECT * FROM SANS20Score" | WHERE SANSID = "3.10" | fields "COMPLIANCE%"| rename COMPLIANCE% as SANS3.10] | eval SANS3=('SANS31'+'SANS3.2'+'SANS3.3'+'SANS3.10'+'SANS3.7'+'SANS3.6')/6 | rangemap field=SANS3 elevated=51-84 low=85-100 severe=0-50 default=none]]></query>

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎05-21-2015 04:47 AM

Have you checked what exact search is run when the dashboard is opened?

0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-21-2015 05:07 AM

Hi,

Do you check this by clicking to edit the search string? if so its as expeted

anything weird like it needs to be appendcols rather than join?

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎05-21-2015 03:58 AM

hi crosssap,
it is a beacon problem is that has not been closed or badly positioned, can you post all your xml so that we may identify the problem?

0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-21-2015 04:10 AM

Is there another way I can post all of the xml? due to the crazy formatting that comes through

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...