Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 50: Premature end of data in tag form line 1

1
votes

When I execute this query in Splunk , I get the following result:

host=PVUKSDCWTMS004 sourcetype="UK_Latency_Measure" | rex "Date :,(?\d\d\d\d-\d\d-\d\d)," | rex "Time :,(?\d\d:\d\d)," | rex "TF-WOL : (?\d+),TF-WL : (?\d+)," | eval TF-TOT = (TFWOL + TFWL) | Table Time Dates TFWL TFWOL | sort +Dates +Time

But when I parse the same query within the Splunk dashboard, I get the below error

Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 51: Premature end of data in tag form line 1

1
parsingsplunk

1 Answers

0
votes

Note: In your original query above, it looks like some content was not rendered properly. The error message relates to a missing balance between XML open and closing tags, i.e. elements identified by open and close brackets. I presume in the Splunk rex command above you used brackets to capture a new field name.

Save the original Splunk search as a "Dashboard Panel" first, then Edit the Dashboard to examine the XML source. You will see all of the "less than" and "greater than" brackets changed to the XML/HTML escape sequences: 

So "<" becomes "&lt;" and ">" becomes "&gt;" in the Splunk XML dashboard.

See also: What do &lt; and &gt; stand for?