Solved: Splunk query working fine in search but not workin...

vn50b7z · ‎03-25-2021

I have the below query which works fine in the 'Search' but when I take the same query to a dashboard which has panel with <single> display the query is giving syntax error.

<source query> | rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType | dedup prnType.

Error in dashboard

Unexpected close tag

Please help me what is wrong with the query

@vn50b7z

scelikok · ‎03-25-2021

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎03-25-2021

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType

If this reply helps you an upvote and "Accept as Solution" is appreciated.

vn50b7z · ‎03-25-2021

Yes this worked. Thanks for your help

isoutamo · ‎03-25-2021

Another option is use

<![CDATA[ ....
| rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType
]]>

Splunk query working fine in search but not working in dashboard which has single display

regex

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!