Splunk Search

Value node <query> is not supposed to have children

carinahOliveira
Explorer

 

I'm doing a query to return the text part of the log, but when using it on my dashboard it gives this error message: Value node <query> is not supposed to have children
 
my query:

index=... user Passed-Authentication earliest=@d
| rex field=_raw "mdm-tlv=ac-user-agent=(?<message>.*?),"
| table message

 
My dashboard:

<panel>
<single>
<title>Meu titulo</title>
<search>
<query>index=... user Passed-Authentication earliest=@d
| rex field=_raw "mdm-tlv=ac-user-agent=(?<message/>.*?),"
| table message </query>
</search>
<option name="height">96</option>
</single>
</panel>

 I believe the error is due to <message>, but I'm new to splunk
 
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Angle brackets etc. need to be encoded when used in the dashboard XML

<panel>
<single>
<title>Meu titulo</title>
<search>
<query>index=... user Passed-Authentication earliest=@d
| rex field=_raw "mdm-tlv=ac-user-agent=(?&lt;message&gt;.*?),"
| table message </query>
</search>
<option name="height">96</option>
</single>
</panel>

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Angle brackets etc. need to be encoded when used in the dashboard XML

<panel>
<single>
<title>Meu titulo</title>
<search>
<query>index=... user Passed-Authentication earliest=@d
| rex field=_raw "mdm-tlv=ac-user-agent=(?&lt;message&gt;.*?),"
| table message </query>
</search>
<option name="height">96</option>
</single>
</panel>

View solution in original post

0 Karma

carinahOliveira
Explorer

It worked for me, thank you so much!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@carinahOliveira 

Try this.

<panel>
<single>
<title>Meu titulo</title>
<search>
<query>index=... user Passed-Authentication earliest=@d
| rex field=_raw "mdm-tlv=ac-user-agent=(?<message>.*?),"
| table message </query>
</search>
<option name="height">96</option>
</single>
</panel>

 

KV

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!