Splunk Search

Splunk query working fine in search but not working in dashboard which has single display

vn50b7z
Engager

I have the below query which works fine in the 'Search' but when I take the same query to a dashboard which has panel with <single> display the query is giving syntax error.

<source query> | rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType | dedup prnType.

Error in dashboard

Unexpected close tag

Please help me what is wrong with the query

@vn50b7z 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

vn50b7z
Engager

Yes this worked. Thanks for your help

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Another option is use 

<![CDATA[ ....
| rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType
]]>

 

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...