I am trying to put below search query as base search in the dashboard's source code.Getting "unexpected close tag" error because of ">" and "<" which encloses new field name "Env" extracted from rex.
<search id="base_search">
<query>index=_internal earliest=-1d latest=now | rex field=host "(?P<Env>[[:alpha:]]{2})\-[[:alpha:]]+" </query>
</search>
Using backslash is not fixing.Can someone help me out here.
You need to wrap your query in CDATA tags, as described at https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/OverviewofSimplifiedXML
<search id="base_search">
<query>
<![CDATA[
index=_internal earliest=-1d latest=now | rex field=host "(?P<Env>[[:alpha:]]{2})\-[[:alpha:]]+"
]]>
</query>
</search>