Solved: Re: removal of special character < question

hermeslxxv · ‎03-26-2016

Hello Everyone,
I am trying to format some syslog data for a dashboard output. I have no idea how to remove the < character within a search template. when I use replace in a search it works fine, but the template wont accept the string. ive also tried rex mode sed with no luck.

| replace "*< cr> ]" WITH "*" IN CmdSet
:note there is no space in front of the cr.

Any suggestions are appreciated!

martin_mueller · ‎03-26-2016

If you're editing XML by hand, you need to replace < with > or wrap the entire search string in <![CDATA[search string]]>. Else the opening angle bracket gets interpreted as the start of an XML tag.

If you're editing through the UI the replacement should happen automagically.

View solution in original post

martin_mueller · ‎03-26-2016

If you're editing XML by hand, you need to replace < with > or wrap the entire search string in <![CDATA[search string]]>. Else the opening angle bracket gets interpreted as the start of an XML tag.

If you're editing through the UI the replacement should happen automagically.

hermeslxxv · ‎03-26-2016

wrapping the entire string worked perfectly, thank you

removal of special character < question

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?