Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syntax question about adding custom regex fields into the XML of a dashboard

yumology
Path Finder
‎02-06-2013 11:24 AM

My search looks like this:

host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg)

Upon adding it to the XML of a dashboard it looks like this:

< chart >
    < title >Number of Drop Rate Exceeded messages over time< /title >
    < searchTemplate >host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg)< /searchTemplate >
    < option name="charting.chart" >line< /option >
    < option name="charting.legend.placement" >right< /option >
< /chart >

The problems is that when "< avg >" is inside the XML tage < searchTemplate > I get bugs with an error saying "error parsing XML".
So how do I escape out the less than and greater than signs to put that in my search in my view?

Edit: The less than and greater than symbols won't show up in the post unless I add a space after them. Ignore those spaces.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2013 07:24 PM

The < and > symbols need to be written as you would for HTML. They look like this:

< is (amp)lt;
> is (amp)gt;

** substitute & for (amp) -- I'm not certain how to display them here without substitution.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2013 07:24 PM

The < and > symbols need to be written as you would for HTML. They look like this:

< is (amp)lt;
> is (amp)gt;

** substitute & for (amp) -- I'm not certain how to display them here without substitution.

Reply
Solved! Jump to solution

yumology
Path Finder
‎02-07-2013 12:49 PM

Thanks. This combined with a little more searching helped me find the syntax.

http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards?utm_source=supportcas...

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎02-06-2013 11:31 AM

You might want to try using the search for your dashboard in a normal search first to refine it before putting it in your dashboard XML.

I think the problem is escaping the backslash.

[^\']+

try

[^\\']+

You may need to use a third backslash in order to escape out the slash all the way and have both the backslash and the single quote as part of the negated character class.

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎02-07-2013 12:49 PM

Have you tried checking the search job inspector to see what it tells you when you open that dashboard in a new window?

0 Karma
Reply
Solved! Jump to solution

yumology
Path Finder
‎02-06-2013 12:34 PM

I can't really see your code because XML isn't permmited to be displayed properly...
It is not the \ that is the problem. It is simply the fact that the XML thinks it sees an XML tag inside an XML tag and errors on the parsing.
I was able to put this into it's on search then call it in the dashboard. However, my dashboard has a form element so my search actually looks like this:

host=$host$ error_code=733100 | ...

The form grabs the host and puts it in the $host$ variable. It doesn't seem to pass into a search though and so it's not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...