Splunk Search
Highlighted

Why are the search and query tags in my dashboard XML failing?

Motivator

Hi,

I wonder whether someone may be able to help me please.

I've put together the following in the Dashboard XML.

<search>
        <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
 | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
 | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
 | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
 | makemv delim=", " idaFull_Details
 | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
          </query>
      </search>

The problem I have is that this is being rejected and the closing search and query tags are shown in red.

Could someone tell me where I've gone wrong with this.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

SplunkTrust
SplunkTrust

Have you tried enclosing the query in a CDATA section?

<query><![CDATA[auditSource=...]]></query>
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

Motivator

Hi @richgalloway, thank you for taking time to reply to my post.

This works perfectly, but could you explain to me what the [CDATA] does?

Also if you want to change this to an answer I can 'Accept' it.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

SplunkTrust
SplunkTrust

CDATA tells XML parsers to ignore everything within the following []. It's useful for embedding text that might confuse the parser.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

Motivator

Ah, thank you for that. Much appreciate.

Kind Regards

Chris

0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

SplunkTrust
SplunkTrust

Try this

 <search>
         <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
  | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
  | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
  | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
  | makemv delim=", " idaFull_Details
  | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
           </query>
       </search>
0 Karma
Highlighted

Re: Why are the search and query tags in my dashboard XML failing?

Motivator

Hi @somesoni2 thank you for taking the time to reply to my post, but unfortunately this doesn't work, but as you will see by my comment to @richgalloway, I was able to get his solution to work.

Many thanks and kind regards

Chris

0 Karma