I can successfully run the following search from within Splunk:
sourcetype=ossim "Event received" ((plugin_id>=1001 AND plugin_id<=1131) OR plugin_id=1597) | lookup ossim_plugins plugin_id OUTPUT plugin_name | timechart count by plugin_name
I've tried to insert this search into a dashboard as follows:
<chart>
<title>IDS Events by Plugin (60 Minutes)</title>
<searchString>sourcetype=ossim "Event received" ((plugin_id>=1001 AND plugin_id<=1131) OR plugin_id=1597) | lookup ossim_plugins plugin_id OUTPUT plugin_name | timechart count by plugin_name</searchString>
<earliestTime>-1h</earliestTime>
<option name="charting.chart">area</option>
<option name="charting.legend.placement">right</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.nullValueMode">connect</option>
</chart>
When I restart Splunk, I see the following message from the console:
Error while parsing path to file not well-formed (invalid token): line 6, column 88
What am I doing wrong here?
Thanks!
I'd suspect that the unescaped <
and >
are causing the XML validator to complain. A quick fix would be to wrap the searchString in a CDATA block or individually XML escape the unsafe characters. Alternately, you could refer to a saved search by name, which might be considered cleaner.