Re: SearchTemplate Query Error

rkanalyst · ‎03-07-2011

I am facing the problem when i am adding "\" inside the searchTemplate query for conditional checks.The same query is working fine when used for the search but not inside searchTemplate .

Query inside SearchTemplate:

searchTemplate> tag="$tagname$" sourcetype="SrcFile" | eval series1=if(searchmatch("\"first String \" AND \"Second String\""),_time,null()) | timechart span="$splitinterval$" count(series1) as Request

   </searchTemplate>

ERROR ::

PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).

Please provide any help if possible.I had tried the option for CData inside the tag.

Thanks in Advance!

rkanalyst · ‎08-08-2011

Got this error Resolved by using the macro. Putting this content in : sourcetype="SrcFile" | eval series1=if(searchmatch(""first String " AND "Second String""),_time,null()) a newly defined Macro.

I found other informations like 1)Backslah problem in splunk http://answers.splunk.com/questions/6563/backslash-escape-problem 2) Use search macro

http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros

Paolo_Prigione · ‎03-07-2011

Have you tried to use ascii-html for troublesome characters? Try the following:

replace " (quote) with "
replace \ (backslash) with \

Paolo_Prigione · ‎03-13-2011

Thanks for the update!

rkanalyst · ‎03-07-2011

Thanks.
But I tried by changing the " and \ with the string you mentioned.But Still I am facing the same problem.

SearchTemplate Query Error

ERROR ::

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!