My search looks like this:
host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg)
Upon adding it to the XML of a dashboard it looks like this:
< chart > < title >Number of Drop Rate Exceeded messages over time< /title > < searchTemplate >host="myfirewall-fw1" error_code=733100 | rex field=_raw "Current average rate is (?< avg >[^\']+) per second" | timechart max(avg)< /searchTemplate > < option name="charting.chart" >line< /option > < option name="charting.legend.placement" >right< /option > < /chart >
The problems is that when "< avg >" is inside the XML tage < searchTemplate > I get bugs with an error saying "error parsing XML".
So how do I escape out the less than and greater than signs to put that in my search in my view?
Edit: The less than and greater than symbols won't show up in the post unless I add a space after them. Ignore those spaces.
You might want to try using the search for your dashboard in a normal search first to refine it before putting it in your dashboard XML.
I think the problem is escaping the backslash.
You may need to use a third backslash in order to escape out the slash all the way and have both the backslash and the single quote as part of the negated character class.
I can't really see your code because XML isn't permmited to be displayed properly...
It is not the \ that is the problem. It is simply the fact that the XML thinks it sees an XML tag inside an XML tag and errors on the parsing.
I was able to put this into it's on search then call it in the dashboard. However, my dashboard has a form element so my search actually looks like this:
host=$host$ error_code=733100 | ...
The form grabs the host and puts it in the $host$ variable. It doesn't seem to pass into a search though and so it's not working.
Have you tried checking the search job inspector to see what it tells you when you open that dashboard in a new window?
The < and > symbols need to be written as you would for HTML. They look like this:
< is (amp)lt; > is (amp)gt;
** substitute & for (amp) -- I'm not certain how to display them here without substitution.