Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time comparison different results in search and dashboar

Ste
Path Finder
2 weeks ago

Dear experts

Why is the following line

 

| where my_time>=relative_time(now(),"-1d@d") AND my_time<=relative_time(now(),"@d")

 

Accepted as a valid statement in a search window, but as soon I want to use exactly this code in a dashboard, I get the error message: "Error in line 100: Unencoded <" ?

The dashboard code validator somehow fails with the <= comparison. 

>= works, as well = but not <= 

We're on splunkcloud. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

luizlimapg
Path Finder
2 weeks ago

Hi @Ste, how are you?

Is &gt; for >
Your SPL is using &gr; instead.

 

| where my_time&gt;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

luizlimapg
Path Finder
2 weeks ago

Hi @Ste, how are you?

Is &gt; for >
Your SPL is using &gr; instead.

 

| where my_time&gt;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

 

 

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
2 weeks ago

@luizlimapg is correct.  If you copy and paste your search into Simple XML code window (or Dashboard Studio code window for that matter), some special characters will be interpreted by the XML engine (or the JSON engine).  If you need to do that, use HTML entities to represent these special characters.

It is best to avoid this, however.  If you have a panel, copy and paste your search code into the Search popup. (Similarly in the search box under Input.)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Ste ,

in dashboards, you cannot use <> and you have to replace them with &lt; and &gt;

| where my_time&gr;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

Ciao.

giuseppe

Reply
Solved! Jump to solution

Ste
Path Finder
2 weeks ago

Using the html tags from your proposal would lead into the error message "Error in Line 100: Invalid character entity"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Ste ,

Please share the code of your dashboard with the error using the "Insert/Edit Code Cample" button.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Ste
Path Finder
a week ago

Gentlemen you're right

Search code:

 

| where my_time>=relative_time(now(),"-1d@d") AND _time<=relative_time(now(),"@d")

 

updated to 

 

| where my_time &gt;=relative_time(now(),"-1d@d") AND _time &lt;=relative_time(now(),"@d")

 

will work in a dashboard.

I started from scratch with all my trials and were not able to reproduce my issues with the html tags. 

This must be a classic PIBCAK (Problem Is Between Chair and Keyboard)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...