I have search that works fine when run manually:
sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine
But when I try to add it into my dashboard, it complains and the closing and will not save:
<search>
<query>index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 earliest=$time.earliest$ latest=$time.latest$ host=$Host$ ProcessId=$ProcessID$ | dedup ProcessId | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine < / query >
Hi smudge797,
you need to to escape the <
and >
in the XML using <
and >
or the <![CDATA[
tag, fine more details in the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/AdvancedDev/AdvancedIntro#Special_characters_in_XM...
Hope this helps ...
cheers, MuS
Some things need to be encoded (e.g. angle-bracket characters). The easiest way to do this to let splunk do the encoding. First, save the xml with a dummy search that is so basic that Splunk will not be able to complain about it, such as this:
|noop
Then, click Edit Panels
(instead of Edit Source
) and a Magnifying Glass Icon
will appear in the upper-right corner of every panel. Click on this inside your panel and select "Edit Search String". Paste your actual search string into that dialog and click Save
. Done.
Cool work around. Thanks!
Pick the best answer and click "Accept" to close the Question.
If you really coded it like this < / query >
i.e. with spaces, you need to remove the spaces to make it a valid XML closing tag: </query>
. But maybe this is just a formatting issue.
Nope that's just so it would post in here. Went a bit freaky without the spaces.
Oh good spotting!
Hi smudge797,
you need to to escape the <
and >
in the XML using <
and >
or the <![CDATA[
tag, fine more details in the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/AdvancedDev/AdvancedIntro#Special_characters_in_XM...
Hope this helps ...
cheers, MuS
CDATA worked fine. Thanks!