Splunk Search
Highlighted

Search query is not fully resolved when using a "$" in a

Path Finder

Hi Base,

i´m encouter a problem when creating a dashboard with simple xml. I want to select a couple of events with a large eventselection pharse:

sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND ErrorCode!="0x0") OR (EventCode=4625 AND AccountName="$" OR Kontoname="$")

when I put this in an simple xml element f.e. chart or table I get the error Search query is not fully resolved. When I put this into the search view everything works fine. When I remove the "$" the search also works in sxml.

Do anyone know whats going on here?

Thanks

Tags (3)
0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Communicator

Hi,

Try incorporating the search in "CDATA" ( as shown below ) and let us know if it works or not.

<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND ErrorCode!="0x0") OR (EventCode=4625 AND AccountName="$" OR Kontoname="$")]]>

Regards,
Amit Saxena

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Communicator

Use like this
<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND ErrorCode!="0x0") OR (EventCode=4625 AND AccountName="$" OR Kontoname="$")]]>

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Path Finder

it does not work even with CDATA...

If I use the above example I get the following error: No search query provided.

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Motivator

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

View solution in original post

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Path Finder

you are right when I remove or replace the $ then it works. I also thought it is related to the token bug, but in this search, I do not use tokens. In another search, I use tokens very early in the selection part and one after in a sub search. This search results in the same error. The part between them looks similar to the sample above. When I remove the second token, the search works. Maybe it has something to do with the amount of brackets I use in the search… one is ok. If I use 2 then the search fail when I user a “$” no matter if I use tokens or not.

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Path Finder

btw: If I make this search to a seaved search and use it in sxml the search also works...

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Motivator

I guess someone attempted 2 dollar signs back to back will work everywhere $$
http://answers.splunk.com/answers/60771/escaping-in-sideview-search-module

0 Karma
Highlighted

Re: Search query is not fully resolved when using a "$" in a

Path Finder

yep, escaping in simple xml works, but you have to "unescape" if you use it outside sxml...

Thanks!!

0 Karma