Splunk Search
Highlighted

Syntax question about adding custom regex fields into the XML of a dashboard

Path Finder

My search looks like this:

host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg) 

Upon adding it to the XML of a dashboard it looks like this:

< chart >
    < title >Number of Drop Rate Exceeded messages over time< /title >
    < searchTemplate >host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg)< /searchTemplate >
    < option name="charting.chart" >line< /option >
    < option name="charting.legend.placement" >right< /option >
< /chart >

The problems is that when "< avg >" is inside the XML tage < searchTemplate > I get bugs with an error saying "error parsing XML".
So how do I escape out the less than and greater than signs to put that in my search in my view?

Edit: The less than and greater than symbols won't show up in the post unless I add a space after them. Ignore those spaces.

Tags (2)
0 Karma
Highlighted

Re: Syntax question about adding custom regex fields into the XML of a dashboard

Splunk Employee
Splunk Employee

You might want to try using the search for your dashboard in a normal search first to refine it before putting it in your dashboard XML.

I think the problem is escaping the backslash.

[^\']+

try

[^\\']+

You may need to use a third backslash in order to escape out the slash all the way and have both the backslash and the single quote as part of the negated character class.

0 Karma
Highlighted

Re: Syntax question about adding custom regex fields into the XML of a dashboard

Path Finder

I can't really see your code because XML isn't permmited to be displayed properly...
It is not the \ that is the problem. It is simply the fact that the XML thinks it sees an XML tag inside an XML tag and errors on the parsing.
I was able to put this into it's on search then call it in the dashboard. However, my dashboard has a form element so my search actually looks like this:

host=$host$ error_code=733100 | ...

The form grabs the host and puts it in the $host$ variable. It doesn't seem to pass into a search though and so it's not working.

0 Karma
Highlighted

Re: Syntax question about adding custom regex fields into the XML of a dashboard

Splunk Employee
Splunk Employee

Have you tried checking the search job inspector to see what it tells you when you open that dashboard in a new window?

0 Karma
Highlighted

Re: Syntax question about adding custom regex fields into the XML of a dashboard

Splunk Employee
Splunk Employee

The < and > symbols need to be written as you would for HTML. They look like this:

< is (amp)lt;
> is (amp)gt;

** substitute & for (amp) -- I'm not certain how to display them here without substitution.

View solution in original post

0 Karma
Highlighted

Re: Syntax question about adding custom regex fields into the XML of a dashboard

Path Finder

Thanks. This combined with a little more searching helped me find the syntax.

http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards?utm_source=supportcas...

0 Karma