- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Editing the dashboard source XML for a conditional...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Editing the dashboard source XML for a conditional count search, why am I getting error "StartTag: invalid element name"?
I am trying to count events where a field is in between a couple of ranges.
My field is detail.id which has the following format -> A1234567B
First thing I do is substring out the digits, then check if the digits are in certain ranges, and then count them.
baseSearch | eval id=substr(detail.id,2,7) | eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0) | stats sum(ps_id) as count
I am editing the source xml for a dashboard so when I try and save this, I get the following error:
Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 77: StartTag: invalid element name
This seems to be something with the < since when I take it out, I can save it, but the search, however, doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within XML, in any literals or eval-type code, you have to encode the < and > in order for the system not to think you are writing XML tags. (And the commas in the number is a problem also.)
so, ...
| eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0)
... should be written as ...
| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The commas in 2,704,999 break the eval command. The following test command worked -
baseSearch
| eval detailid="A1234567B"
| eval id=substr(detailid,2,7)
| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I probably should have updated that without the comments. Now I can't as my reputation is too low.
The stats sum(ps_id) as count however returns 0?
Also still getting the error when editing the source of the dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
b/c ps_id is 0 ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but in my test data it shouldn't be
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
