Splunk Search

Search will run in search app but not as hiddensearch

jedatt01
Builder

I have a search that will work fine manually in the search app, but when I try to incorporate it as a hidden search in my custom app xml it gets the following error.
Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 54: StartTag: invalid element name

Search Criteria:
sourcetype="orion__detail_daily" OR sourcetype="gomez_data" | eval percent_avail=coalesce(percent_avail,avail) | eval tier = if(sourcetype="Orion_Server_Detail_Daily","Server",if(sourcetype="Orion_Application_Detail_Daily","Application","User")) | stats avg(percent_avail) as appAvail by tier | eval grnColumn = if(appAvail>95, appAvail, 0) | eval yelColumn = if((appAvail<96* **AND appAvail***>89), appAvail, 0) | eval redColumn = if(appAvail<90,* appAvail, 0) | fields - appAvail

The parts in the search criteria that I have in bold are showing up as blue and what I have in italics are green in the xml editor. I believe this is where it's having the problem.

Tags (1)
0 Karma
1 Solution

dshpritz
SplunkTrust
SplunkTrust

I haven't experienced this first hand, but my guess would be that the problem is that the "<" and ">" need to be converted to valid entities. So &lt; and &gt;.

HTH,

Dave

View solution in original post

dshpritz
SplunkTrust
SplunkTrust

I haven't experienced this first hand, but my guess would be that the problem is that the "<" and ">" need to be converted to valid entities. So &lt; and &gt;.

HTH,

Dave

jedatt01
Builder

Thanks Dave, this worked perfectly!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...