Splunk Search

Why are the search and query tags in my dashboard XML failing?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I've put together the following in the Dashboard XML.

<search>
        <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
 | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
 | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
 | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
 | makemv delim=", " idaFull_Details
 | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
          </query>
      </search>

The problem I have is that this is being rejected and the closing search and query tags are shown in red.

Could someone tell me where I've gone wrong with this.

Many thanks and kind regards

Chris

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried enclosing the query in a CDATA section?

<query><![CDATA[auditSource=...]]></query>
---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2
Revered Legend

Try this

 <search>
         <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
  | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
  | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
  | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
  | makemv delim=", " idaFull_Details
  | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
           </query>
       </search>
0 Karma

IRHM73
Motivator

Hi @somesoni2 thank you for taking the time to reply to my post, but unfortunately this doesn't work, but as you will see by my comment to @richgalloway, I was able to get his solution to work.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried enclosing the query in a CDATA section?

<query><![CDATA[auditSource=...]]></query>
---
If this reply helps you, Karma would be appreciated.

IRHM73
Motivator

Hi @richgalloway, thank you for taking time to reply to my post.

This works perfectly, but could you explain to me what the [CDATA] does?

Also if you want to change this to an answer I can 'Accept' it.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

CDATA tells XML parsers to ignore everything within the following []. It's useful for embedding text that might confuse the parser.

---
If this reply helps you, Karma would be appreciated.
0 Karma

IRHM73
Motivator

Ah, thank you for that. Much appreciate.

Kind Regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...