Dashboards & Visualizations

Editing the dashboard source XML for a conditional count search, why am I getting error "StartTag: invalid element name"?

dan_pudwell
Explorer

I am trying to count events where a field is in between a couple of ranges.
My field is detail.id which has the following format -> A1234567B

First thing I do is substring out the digits, then check if the digits are in certain ranges, and then count them.

baseSearch | eval id=substr(detail.id,2,7) | eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0) | stats sum(ps_id) as count

I am editing the source xml for a dashboard so when I try and save this, I get the following error:

Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 77: StartTag: invalid element name

This seems to be something with the < since when I take it out, I can save it, but the search, however, doesn't work.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Within XML, in any literals or eval-type code, you have to encode the < and > in order for the system not to think you are writing XML tags. (And the commas in the number is a problem also.)

so, ...

| eval ps_id = if((id >= 2700000 AND id <= 2,704,999) OR (id >= 2730000 AND id <= 2735999), 1, 0)  

... should be written as ...

| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)  
0 Karma

ddrillic
Ultra Champion

The commas in 2,704,999 break the eval command. The following test command worked -

baseSearch
| eval detailid="A1234567B"
| eval id=substr(detailid,2,7)
| eval ps_id = if((id >= 2700000 AND id <= 2704999) OR (id >= 2730000 AND id <= 2735999), 1, 0)

0 Karma

dan_pudwell
Explorer

I probably should have updated that without the comments. Now I can't as my reputation is too low.
The stats sum(ps_id) as count however returns 0?
Also still getting the error when editing the source of the dashboard?

0 Karma

ddrillic
Ultra Champion

b/c ps_id is 0 ....

0 Karma

dan_pudwell
Explorer

but in my test data it shouldn't be

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...