Splunk Search

Your entry was not saved. The following error was reported: SyntaxError: JSON Parse error: Unrecognized token '<‘.

tristanmatthews
Path Finder

Hi,

So I'm inheriting some splunk code that I'm going through and cleaning up. It contains:

rex field=source "/data/splunk/(?<key>.*)/"

The search runs fine, when I navigate to it in the browser, (bread crumbs: splunk > manager >> Searches and reports >> [the search name] ) and modify a completely unrelated part of the search and go to save it it kicks the error

Your entry was not saved. The following error was reported: SyntaxError: Unexpected token <.

I'm fairly sure it's not escaping <> inside of quotes properly, so I can't save my search. I can however create a new search that has the exact same text in it.

Thanks,
Tristan

1 Solution

woodcock
Esteemed Legend

This is a bug in all of the latest versions of Splunk and I do not know what causes it. I do not have an entitlement to open a case on it but hopefully you do so please DO open a case. You can tell that this is a bug because you will get the same error even if you change NOTHING and just try to resave your search.

I have a workaround: Copy down the details of the Search and save it fresh. It will ALWAYS save OK, but, it will NEVER be re-editable.

View solution in original post

rh0dium
Explorer

Hi all,

Had this problem - A JSON browser extension for viewing formatted JSON responses was getting in the way. Once I disabled that extension worked like charm.

Ref: https://answers.splunk.com/answers/247389/cant-add-input-for-rest-ta-your-entry-was-not-save-1.html

jawaharas
Motivator

Thanks. It helped me as well.

0 Karma

thenino
Loves-to-Learn Lots

Thank you. I disabled my JSON viewer extension and it worked as should.

0 Karma

flakshack
Explorer

This was exactly my problem. Thanks for posting!

0 Karma

lpolo
Motivator

I faced this issue today. The only way I was able to make a change in the saved search was by cloning it.

woodcock
Esteemed Legend

Exactly. It is a bug.

0 Karma

vnguyen46
Contributor

This bug was fixed in version 8.0. I got the same issue in v7.3.2, upgraded to v8.0 to fix it.

0 Karma

ben_leung
Builder

I am not able to reproduce. Is there something out of the ordinary in the savedsearches.conf? Maybe this has been fixed. I'm using version 6.3.4

0 Karma

the_wolverine
Champion

It doesn't happen in most cases. Only small percentage of searches produce the error when modified.

0 Karma

woodcock
Esteemed Legend

This is a bug in all of the latest versions of Splunk and I do not know what causes it. I do not have an entitlement to open a case on it but hopefully you do so please DO open a case. You can tell that this is a bug because you will get the same error even if you change NOTHING and just try to resave your search.

I have a workaround: Copy down the details of the Search and save it fresh. It will ALWAYS save OK, but, it will NEVER be re-editable.

ranebshekhar
New Member

Is this ever fix in the latest version of splunk?

I am using SPLUNK 6.5 and still seeing the issue while editing SAVED searches.

0 Karma

woodcock
Esteemed Legend

I have not seen it since we upgraded to v7.* across many clients/clusters.

0 Karma

masonmorales
Influencer

I'm seeing the issue on v6.5.2 as well.

0 Karma

fairje
Communicator

I just wanted to point out that I just ran across this issue on my DMC. I was trying to edit the "Near Critical Disk Usage" alert to change it from 80% to 90%. I am currently running 6.4.3. Below is the current search string that is causing the error (even just saving it as is throws this error as pointed out).

| rest splunk_server_group=dmc_group_* /services/server/status/partitions-space 
| eval free = if(isnotnull(available), available, free) 
| eval usage = capacity - free 
| eval pct_usage = floor(usage / capacity * 100) 
| where pct_usage > 80 
| stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point 
| eval usage = round(usage / 1024, 2) 
| eval capacity = round(capacity / 1024, 2) 
| rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"

The reason I point this out is your work-around of making a brand new search doesn't actually work. When I make a new report/alert and it still throws the error. The search runs just fine in the search bar.

It is also great because it is one of their searches, and is set-up to work on anyone's Splunk instances (assuming you have the DMC turned on). So it should be really easy to validate this bug and fix the issue. Not sure why your workaround isn't happening though. I'll get a bug report filed a bit later today with the above issue.

0 Karma

the_wolverine
Champion

Bug filed.

woodcock
Esteemed Legend

What is the JIRA (SPL-#)?

0 Karma

the_wolverine
Champion

Do you happen to have a reliable way to reproduce the issue? Splunk support claims to have no idea about this bug.

0 Karma

woodcock
Esteemed Legend

I just tested this search on v6.3.4, build cae2458faef. The following search is syntactically valid and will save just fine on creation but when re-editing it, any attempt to save will generate this error:

Your entry was not saved.  The following error was reported: SyntaxError: Unexpected token < in JSON at position 0.

This is the problematic search:

|dbxquery connection=xxx query="SELECT%20TOP%20100%0ACONVERT(NVARCHAR(4000)%2C%5BNotes%5D)%0Afrom%20xyz%22"

Please update your support ticket with these details.

0 Karma

woodcock
Esteemed Legend

So you do New, give it a name like JSON BUG, use |dbxquery connection=xxx query="SELECT%20TOP%20100%0ACONVERT(NVARCHAR(4000)%2C%5BNotes%5D)%0Afrom%20xyz%22" as the search string and click Save. It will save just fine. Then click Edit, then Save (do not change anything) and you will get the error.

0 Karma

wandrilleD
Engager

Had the same mistake on all my dashboards, just restarted and everythings worked fine but I still don't understand why...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...