Splunk Search

Why are the search and query tags in my dashboard XML failing?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I've put together the following in the Dashboard XML.

<search>
        <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
 | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
 | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
 | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
 | makemv delim=", " idaFull_Details
 | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
          </query>
      </search>

The problem I have is that this is being rejected and the closing search and query tags are shown in red.

Could someone tell me where I've gone wrong with this.

Many thanks and kind regards

Chris

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried enclosing the query in a CDATA section?

<query><![CDATA[auditSource=...]]></query>
---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

 <search>
         <query>auditSource="matching" auditType="Tx*" detail.input-ida-request="*" 
  | rex field="detail.input-ida-request" "\"firstName\":{\"value\":\"(?<idaFName>[^\"]+)" 
  | rex field="detail.input-ida-request" "\"surnames\":\[\{\"value\":\"(?<idaSName>[^\"]+)"
 | eval idaFullName= idaFName." ".idaSName
  | eval idaFull_Details= "DOB: ".idaDOB.", Address: ".idaAddress.", NINO: ".idaNINO.", SAUTR: ".idaSAUTR 
  | makemv delim=", " idaFull_Details
  | table idaFullName idaFull_Details cidFull_Details ErrorCode generatedAt CreatedDate
           </query>
       </search>
0 Karma

IRHM73
Motivator

Hi @somesoni2 thank you for taking the time to reply to my post, but unfortunately this doesn't work, but as you will see by my comment to @richgalloway, I was able to get his solution to work.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried enclosing the query in a CDATA section?

<query><![CDATA[auditSource=...]]></query>
---
If this reply helps you, Karma would be appreciated.

IRHM73
Motivator

Hi @richgalloway, thank you for taking time to reply to my post.

This works perfectly, but could you explain to me what the [CDATA] does?

Also if you want to change this to an answer I can 'Accept' it.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

CDATA tells XML parsers to ignore everything within the following []. It's useful for embedding text that might confuse the parser.

---
If this reply helps you, Karma would be appreciated.
0 Karma

IRHM73
Motivator

Ah, thank you for that. Much appreciate.

Kind Regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...