I am facing the problem when i am adding "\" inside the searchTemplate query for conditional checks.The same query is working fine when used for the search but not inside searchTemplate .
Query inside SearchTemplate:
searchTemplate> tag="$tagname$" sourcetype="SrcFile" | eval series1=if(searchmatch("\"first String \" AND \"Second String\""),_time,null()) | timechart span="$splitinterval$" count(series1) as Request
</searchTemplate>
PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).
Please provide any help if possible.I had tried the option for CData inside the tag.
Thanks in Advance!
Got this error Resolved by using the macro. Putting this content in : sourcetype="SrcFile" | eval series1=if(searchmatch(""first String " AND "Second String""),_time,null()) a newly defined Macro.
I found other informations like 1)Backslah problem in splunk http://answers.splunk.com/questions/6563/backslash-escape-problem 2) Use search macro
http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros
Have you tried to use ascii-html for troublesome characters? Try the following:
Thanks for the update!
Thanks.
But I tried by changing the " and \ with the string you mentioned.But Still I am facing the same problem.