Solved: search fails in xml file

DTERM · ‎09-21-2012

The following search works fine in the Splunk search:

index=mydata | rex "\s+IP\s+(?\d+.\d+.\d+.\d+).(?\S+)\s+>\s+(?\d+.\d+.\d+.\d+).(?[a-z0-9]+):\s+" | top src_ip

When I take that same search and place it in an xml file like:

  <searchTemplate>

index=dns | rex "\s+IP\s+(?\d+.\d+.\d+.\d+).(?\S+)\s+>\s+(?\d+.\d+.\d+.\d+).(?[a-z0-9]+):\s+" | top src_ip

It fails. (That search in the XML starts and ends with the searchTemplate tags although I don't see those in this post, though they are there.) I get the following error when trying to start Splunk:

Checking configuration... Error while parsing '/opt/splunk/etc/apps/myApp/default/data/ui/views/source.xml':

mismatched tag: line 6, column 4

I don't see the mismatched tag. What is the problem with the XML?

Thanks.

bmacias84 · ‎09-21-2012

The problem with your search is the ">" and "<". The angel brackets are treated as part of XML tags. Replace those with the HTML entities & lt; and & gt; . Hope that fixes your problem.

View solution in original post

bmacias84 · ‎09-21-2012

The problem with your search is the ">" and "<". The angel brackets are treated as part of XML tags. Replace those with the HTML entities & lt; and & gt; . Hope that fixes your problem.

DTERM · ‎09-24-2012

Based on this response, I've created the following search:

index=data | rex "\s+IP\s+(?<src_ip> \d+.\d+.\d+.\d+).(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+.\d+.\d+.\d+).(?<dest_port>[a-z0-9]+):\s+" | top src_ip

This still fails in the XML file. Is there anything within Splunk that helps resolve such regular expressions? Why does this not work? What is incorrect?

search fails in xml file

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7