I have search that works fine when run manually:
sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine
But when I try to add it into my dashboard, it complains and the closing and will not save:
<search> <query>index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 earliest=$time.earliest$ latest=$time.latest$ host=$Host$ ProcessId=$ProcessID$ | dedup ProcessId | rex field=_raw "CommandLine=(?.+[^\n])" | table CmdLine < / query >
you need to to escape the
> in the XML using
> or the
<![CDATA[ tag, fine more details in the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/AdvancedDev/AdvancedIntro#Special_characters_in_XM...
Hope this helps ...
If you really coded it like this
< / query > i.e. with spaces, you need to remove the spaces to make it a valid XML closing tag:
</query>. But maybe this is just a formatting issue.
Some things need to be encoded (e.g. angle-bracket characters). The easiest way to do this to let splunk do the encoding. First, save the xml with a dummy search that is so basic that Splunk will not be able to complain about it, such as this:
Edit Panels (instead of
Edit Source) and a
Magnifying Glass Icon will appear in the upper-right corner of every panel. Click on this inside your panel and select "Edit Search String". Paste your actual search string into that dialog and click