Splunk Search

Error parsing dashboard XML: Duplicate search type primary is not allowed. Go to "Edit Source" to fix.

mhornste
Path Finder

Hi,

I have an entire Dashboard which works with Splunk 6.5.x. very well. Unfortunately, since I upgraded to Splunk 7 (currently 7.0.3, issue also exists with 7.0.1), the following error is displayed when opening the Dashboard:

Error parsing dashboard XML: Duplicate search type primary is not allowed. Go to "Edit Source" to fix.

The dashboard on edit session says "2 Validation errors, 49 validation warnings". I can't find the lines where the errors happen.

Pleas find two screenshots here:

https://imgur.com/a/FlJoF

I'm happy to do the analysis myself, but I don't know where to look.

The Dashboard has the following XML source:

<form>
  <label>Performance</label>
  <description>Displays current performance status derived from summary timings logs.</description>
  <fieldset submitButton="false">
    <input type="time">
      <label/>
      <default>
        <earliestTime>-1h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <a href="correlation_charts"><b>Correlation Charts >></b></a> . . | . . <a href="requests_by_function"><b>Performance Analytics >></b></a>. . | . . <a href="queue_time_charts"><b>Queue Time Charts >></b></a>
 </html>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=ThreadConcurrency">Click for time charts</a>
</html>
      <chart>
        <title>Thread Usage (Concurrent Threads)</title>
        <searchString>| savedsearch ThreadConcurrencyAlert | stats max(concurrency) as "Max Concurrent Treads" by host | eval Threshold = `ThreadConcurrencyThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=ThreadConcurrency
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.overlayFields">Threshold</option>
        <option name="charting.axisY.maximumNumber">32</option>
        <option name="charting.axisLabelsY.majorUnit">8</option>
      </chart>
    </panel>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=QueueDepth">Click for time charts</a>
</html>
      <chart>
        <title>Maximum Queue Depth (requests)</title>
        <searchString>`QueueDepthFilter` | stats `QueueDepthFunction(QueueTime)` as QueueDepth by host | eval Threshold=`QueueDepthThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=QueueDepth
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.overlayFields">Threshold</option>
        <option name="charting.axisY.maximumNumber">16</option>
        <option name="charting.axisLabelsY.majorUnit">4</option>
      </chart>
    </panel>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=QueueTime">Click for time charts</a>
</html>
      <chart>
        <title>Average Queue Time (s)</title>
        <searchString>`QueueTimeFilter` | stats `QueueTimeFunction(QueueTime)` as QueueTime | eval QueueTime = round(QueueTime, 3) | eval Threshold=`QueueTimeThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=QueueTime
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.rangeValues">[0,0.75,1,"2"]</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
      </chart>
    </panel>
    <panel>
      <html>
      Click a UserName for details
</html>
      <table>
        <title>Heavy Users</title>
        <searchName>ActiveClientAlert</searchName>
        <searchString>| savedsearch HeavyUserAlert</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
        <drilldown target="User in Content Server">
          <link>
            <![CDATA[
  https://URL
]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=ExecutionTime">Click for time charts</a>
     </html>
      <chart>
        <title>Average Execution Time (s)</title>
        <searchString>`ExecutionTimeFilter` | stats `ExecutionTimeFunction(ExecutionTime)` as ExecutionTime | eval ExecutionTime = round(ExecutionTime, 3) | eval Threshold=`ExecutionTimeThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=ExecutionTime
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.rangeValues">[0,"0.8","1","2"]</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
      </chart>
    </panel>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=SqlTime">Click for time charts</a>
     </html>
      <chart>
        <title>Average SQL Time (s)</title>
        <searchString>`SqlTimeFilter` | stats `SqlTimeFunction(SqlTime)` as SqlTime | eval SqlTime = round(SqlTime, 3) | eval Threshold=`SqlTimeThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=SqlTime
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.rangeValues">[0,".4",".5","1"]</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
      </chart>
    </panel>
    <panel>
      <html>
      <a href="performance_time_charts?form.metric=SearchTime">Click for time charts</a>
</html>
      <chart>
        <title>Median Search Time (s)</title>
        <searchString>`SearchTimeFilter` | stats `SearchTimeFunction(SearchTime)` as SearchTime | eval SearchTime = round(SearchTime, 3) | eval Threshold=`SearchTimeThreshold`</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown>
          <link>
            <![CDATA[
  performance_time_charts?form.metric=SearchTime
]]>
          </link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart.rangeValues">[0,"8","10","20"]</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
      </chart>
    </panel>
    <panel>
      <html>
      Click an ObjectId for details
</html>
      <table>
        <title>Slow Objects</title>
        <searchString>| savedsearch SlowObjectAlert</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <drilldown target="Object in Content Server">
          <link>
            <![CDATA[
  https://URL
]]>
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>
0 Karma
1 Solution

niketn
Legend

@mhornste, take out the following piece of code.

<searchName>ActiveClientAlert</searchName>

Moreover following should also be changed (Splunk shows warning however these will still continue to work)

1) <searchString>...</searchString> should be replaced with <search><query>...</query></search>. <earliestTime> with <earliest> and <latestTime> with <latest>. Notation used since version 6.2 +

Refer to answer: https://answers.splunk.com/answers/231799/whats-the-difference-between-searchstring-and-quer-1.html

2) chart options do not use following configurations:

     <option name="wrap">true</option>
     <option name="rowNumbers">false</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@mhornste, take out the following piece of code.

<searchName>ActiveClientAlert</searchName>

Moreover following should also be changed (Splunk shows warning however these will still continue to work)

1) <searchString>...</searchString> should be replaced with <search><query>...</query></search>. <earliestTime> with <earliest> and <latestTime> with <latest>. Notation used since version 6.2 +

Refer to answer: https://answers.splunk.com/answers/231799/whats-the-difference-between-searchstring-and-quer-1.html

2) chart options do not use following configurations:

     <option name="wrap">true</option>
     <option name="rowNumbers">false</option>
     <option name="dataOverlayMode">none</option>
     <option name="count">10</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mhornste
Path Finder

Hi niketnilay,

thanks, that worked. All Validation issues are now gone since I have implemented your suggested changes and have also moved the etc. tags into the search tag.

Is there a way in Splunk 7.x to activate legacy mode? The error is gone, but all Dashboards now say "bad allocation" and one is saying " Error in 'eval' command: The expression is malformed. A comparison term is missing. "

Those with bad allocation have e.g. the following search string: QueueDepthFilter | stats QueueDepthFunction(QueueTime) as QueueDepth by host | eval Threshold=QueueDepthThreshold

Thanks

0 Karma

niketn
Legend

Can you just try to run the following in Search bar and see which of the macro is not working as expected?
Most likely the issue would be with macro QueueDepthThreshold, so take also take out final eval and see whether error is still there or not. If you can isolate issue with the macro you will have to re-evaluate the macro definition.

`QueueDepthFilter` | stats `QueueDepthFunction(QueueTime)` as QueueDepth by host | eval Threshold=`QueueDepthThreshold`

Same for other panels also, test out where is the issue is.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@mhornste if your issue is resolved, please accept the answer to mark this question as answered. If not please ask further details you need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Sukisen1981
Champion

Suspect it could issues with the input time token and how the same is referenced in your panels.
In your 6.5 version, how is the xml for the input time token defined? does it have a token defined something like this?

<fieldset submitButton="false">
     <input type="time" token="field1">

And you are probably passing the input time token to the panels below, does it look something like this?

<row>
     <panel>
       <event>
         <search>
           <query>blah blah blah</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>

Can you check that out?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...