Solved: Search query is not fully resolved when using a "$...

ndcl · ‎12-12-2013

Hi Base,

i´m encouter a problem when creating a dashboard with simple xml. I want to select a couple of events with a large eventselection pharse:

sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")

when I put this in an simple xml element f.e. chart or table I get the error Search query is not fully resolved. When I put this into the search view everything works fine. When I remove the "$" the search also works in sxml.

Do anyone know whats going on here?

Thanks

aelliott · ‎12-12-2013

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

View solution in original post

aelliott · ‎12-12-2013

Could this be a bug with tokens?
http://answers.splunk.com/answers/109861/multiple-dollar-signs-in-data-cause-issues-when-searching

If you remove one of the dollar signs does it work ok? and if you replace them both with asterisks (*) does it work?

ndcl · ‎01-20-2014

yep, escaping in simple xml works, but you have to "unescape" if you use it outside sxml...

Thanks!!

aelliott · ‎12-12-2013

I guess someone attempted 2 dollar signs back to back will work everywhere $$
http://answers.splunk.com/answers/60771/escaping-in-sideview-search-module

ndcl · ‎12-12-2013

btw: If I make this search to a seaved search and use it in sxml the search also works...

ndcl · ‎12-12-2013

you are right when I remove or replace the $ then it works. I also thought it is related to the token bug, but in this search, I do not use tokens. In another search, I use tokens very early in the selection part and one after in a sub search. This search results in the same error. The part between them looks similar to the sample above. When I remove the second token, the search works. Maybe it has something to do with the amount of brackets I use in the search… one is ok. If I use 2 then the search fail when I user a “$” no matter if I use tokens or not.

amit_saxena · ‎12-12-2013

Hi,

Try incorporating the search in "CDATA" ( as shown below ) and let us know if it works or not.

<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

Regards,
Amit Saxena

ndcl · ‎12-12-2013

it does not work even with CDATA...

If I use the above example I get the following error: No search query provided.

amit_saxena · ‎12-12-2013

Use like this
<![CDATA[sourcetype="WMI:WinEventLog:Security" EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR (EventCode=680 AND Error_Code!="0x0") OR (EventCode=4625 AND Account_Name="$" OR Kontoname="$")]]>

Search query is not fully resolved when using a "$" in a

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...