Splunk Search

Why am I unable to save my search as a query in a dashboard panel?

smudge797
Path Finder

I have search that works fine when run manually:

sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine

But when I try to add it into my dashboard, it complains and the closing and will not save:

 <search>
   <query>index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 earliest=$time.earliest$ latest=$time.latest$ host=$Host$ ProcessId=$ProcessID$ | dedup ProcessId | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine < / query >
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi smudge797,

you need to to escape the < and > in the XML using &lt; and &gt; or the <![CDATA[ tag, fine more details in the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/AdvancedDev/AdvancedIntro#Special_characters_in_XM...

Hope this helps ...

cheers, MuS

View solution in original post

woodcock
Esteemed Legend

Some things need to be encoded (e.g. angle-bracket characters). The easiest way to do this to let splunk do the encoding. First, save the xml with a dummy search that is so basic that Splunk will not be able to complain about it, such as this:

|noop

Then, click Edit Panels (instead of Edit Source) and a Magnifying Glass Icon will appear in the upper-right corner of every panel. Click on this inside your panel and select "Edit Search String". Paste your actual search string into that dialog and click Save. Done.

smudge797
Path Finder

Cool work around. Thanks!

0 Karma

woodcock
Esteemed Legend

Pick the best answer and click "Accept" to close the Question.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If you really coded it like this < / query > i.e. with spaces, you need to remove the spaces to make it a valid XML closing tag: </query>. But maybe this is just a formatting issue.

smudge797
Path Finder

Nope that's just so it would post in here. Went a bit freaky without the spaces.

0 Karma

MuS
SplunkTrust
SplunkTrust

Oh good spotting!

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi smudge797,

you need to to escape the < and > in the XML using &lt; and &gt; or the <![CDATA[ tag, fine more details in the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/AdvancedDev/AdvancedIntro#Special_characters_in_XM...

Hope this helps ...

cheers, MuS

smudge797
Path Finder

CDATA worked fine. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...