Hi Base,
i´m encouter a problem when creating a dashboard with simple xml. I want to select a couple of events with a large eventselection pharse:
sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")
when I put this in an simple xml element f.e. chart or table I get the error Search query is not fully resolved. When I put this into the search view everything works fine. When I remove the "$" the search also works in sxml.
Do anyone know whats going on here?
Thanks
Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching
If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?
Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching
If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?
yep, escaping in simple xml works, but you have to "unescape" if you use it outside sxml...
Thanks!!
I guess someone attempted 2 dollar signs back to back will work everywhere $$
http://answers.splunk.com/answers/60771/escaping-in-sideview-search-module
btw: If I make this search to a seaved search and use it in sxml the search also works...
you are right when I remove or replace the $ then it works. I also thought it is related to the token bug, but in this search, I do not use tokens. In another search, I use tokens very early in the selection part and one after in a sub search. This search results in the same error. The part between them looks similar to the sample above. When I remove the second token, the search works. Maybe it has something to do with the amount of brackets I use in the search… one is ok. If I use 2 then the search fail when I user a “$” no matter if I use tokens or not.
Hi,
Try incorporating the search in "CDATA" ( as shown below ) and let us know if it works or not.
<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>
Regards,
Amit Saxena
it does not work even with CDATA...
If I use the above example I get the following error: No search query provided.
Use like this