Solved: Splunk query working fine in search but not workin...

vn50b7z · ‎03-25-2021

I have the below query which works fine in the 'Search' but when I take the same query to a dashboard which has panel with <single> display the query is giving syntax error.

<source query> | rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType | dedup prnType.

Error in dashboard

Unexpected close tag

Please help me what is wrong with the query

@vn50b7z

scelikok · ‎03-25-2021

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok · ‎03-25-2021

Hi @vn50b7z,

I think you are adding search into the dashboard source, < and > signs should be change to URL encoding,

Please try below;

| rex field=_raw "\"printerType\":\"(?&lt;prnType&gt;[^\"]+)\"" | table prnType

If this reply helps you an upvote is appreciated.

View solution in original post

vn50b7z · ‎03-25-2021

Yes this worked. Thanks for your help

soutamo · ‎03-25-2021

Another option is use

<![CDATA[ ....
| rex field=_raw "\"printerType\":\"(?<prnType>[^\"]+)\"" | table prnType
]]>

Splunk query working fine in search but not working in dashboard which has single display

regex

rex

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >

Splunk query working fine in search but not working in dashboard which has single display

regex

rex

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >