Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time comparison different results in search and dashboar

Ste
Path Finder
‎12-17-2024 05:51 AM

Dear experts

Why is the following line

 

| where my_time>=relative_time(now(),"-1d@d") AND my_time<=relative_time(now(),"@d")

 

Accepted as a valid statement in a search window, but as soon I want to use exactly this code in a dashboard, I get the error message: "Error in line 100: Unencoded <" ?

The dashboard code validator somehow fails with the <= comparison. 

>= works, as well = but not <= 

We're on splunkcloud. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

luizlimapg
Path Finder
‎12-17-2024 10:27 AM

Hi @Ste, how are you?

Is &gt; for >
Your SPL is using &gr; instead.

 

| where my_time&gt;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

luizlimapg
Path Finder
‎12-17-2024 10:27 AM

Hi @Ste, how are you?

Is &gt; for >
Your SPL is using &gr; instead.

 

| where my_time&gt;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

 

 

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-17-2024 02:30 PM

@luizlimapg is correct.  If you copy and paste your search into Simple XML code window (or Dashboard Studio code window for that matter), some special characters will be interpreted by the XML engine (or the JSON engine).  If you need to do that, use HTML entities to represent these special characters.

It is best to avoid this, however.  If you have a panel, copy and paste your search code into the Search popup. (Similarly in the search box under Input.)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2024 05:53 AM

Hi @Ste ,

in dashboards, you cannot use <> and you have to replace them with &lt; and &gt;

| where my_time&gr;=relative_time(now(),"-1d@d") AND my_time&lt;=relative_time(now(),"@d")

Ciao.

giuseppe

Reply
Solved! Jump to solution

Ste
Path Finder
‎12-17-2024 06:00 AM

Using the html tags from your proposal would lead into the error message "Error in Line 100: Invalid character entity"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2024 07:33 AM

Hi @Ste ,

Please share the code of your dashboard with the error using the "Insert/Edit Code Cample" button.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Ste
Path Finder
‎12-23-2024 03:54 AM

Gentlemen you're right

Search code:

 

| where my_time>=relative_time(now(),"-1d@d") AND _time<=relative_time(now(),"@d")

 

updated to 

 

| where my_time &gt;=relative_time(now(),"-1d@d") AND _time &lt;=relative_time(now(),"@d")

 

will work in a dashboard.

I started from scratch with all my trials and were not able to reproduce my issues with the html tags. 

This must be a classic PIBCAK (Problem Is Between Chair and Keyboard)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...