Splunk Search

Search query is not fully resolved when using a "$" in a

ndcl
Path Finder

Hi Base,

i´m encouter a problem when creating a dashboard with simple xml. I want to select a couple of events with a large eventselection pharse:

sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")

when I put this in an simple xml element f.e. chart or table I get the error Search query is not fully resolved. When I put this into the search view everything works fine. When I remove the "$" the search also works in sxml.

Do anyone know whats going on here?

Thanks

Tags (3)
0 Karma
1 Solution

aelliott
Motivator

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

View solution in original post

0 Karma

aelliott
Motivator

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

0 Karma

ndcl
Path Finder

yep, escaping in simple xml works, but you have to "unescape" if you use it outside sxml...

Thanks!!

0 Karma

aelliott
Motivator

I guess someone attempted 2 dollar signs back to back will work everywhere $$
http://answers.splunk.com/answers/60771/escaping-in-sideview-search-module

0 Karma

ndcl
Path Finder

btw: If I make this search to a seaved search and use it in sxml the search also works...

0 Karma

ndcl
Path Finder

you are right when I remove or replace the $ then it works. I also thought it is related to the token bug, but in this search, I do not use tokens. In another search, I use tokens very early in the selection part and one after in a sub search. This search results in the same error. The part between them looks similar to the sample above. When I remove the second token, the search works. Maybe it has something to do with the amount of brackets I use in the search… one is ok. If I use 2 then the search fail when I user a “$” no matter if I use tokens or not.

0 Karma

amit_saxena
Communicator

Hi,

Try incorporating the search in "CDATA" ( as shown below ) and let us know if it works or not.

<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

Regards,
Amit Saxena

0 Karma

ndcl
Path Finder

it does not work even with CDATA...

If I use the above example I get the following error: No search query provided.

0 Karma

amit_saxena
Communicator

Use like this
<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...