Dashboards & Visualizations

PARSER: Applying intentions failed Error in 'append' command: The last argument must be a subsearch.

msarro
Builder

Greetings everyone. I am trying to build a large search into a dashboard and getting the error shown in the title. Any ideas? It works just fine from the command line (other than the regex capture groups using the greater than/less than escape codes instead of symbols).

...
| append [search (index=prod_msp sourcetype=msp-prod Call_ID_1!=unknown Call_ID_1!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=prodcorr sourcetype=as-cdr AS_Direction=Terminating Call_ID_1!=NULL Call_ID_2!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_pbts PBTS_ORIG_SIP_CALL_ID!=NULL PBTS_TERM_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_sbc SBC_ORIG_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$))|eval CID1=Call_ID_1|eval CID2=coalesce(Call_ID_2,PBTS_TERM_SIP_CALL_ID)|eval CID3=coalesce(PBTS_ORIG_SIP_CALL_ID,SBC_TERM_SIP_CALL_ID)] 
...

As you can see, the last part of the append statement IS a subsearch, so I don't understand why splunk is complaining.

Tags (2)

moesaidi
Path Finder

Encountered a similar problem...
To fix, I re-wrote the query with spaces instead of tabs and it appears to have worked.
For example, I initially had:

index="searchindex" sourcetype="sourcetype" AND thisandthat
        | test1
        | test2
        | append [search blabalbal
                   | blablabla
                   | blablablabla
                   | blabla]
        | chart blablaa

Fixed by changing it to:

index="searchindex" sourcetype="sourcetype" AND thisandthat | test1 | test2 | append [search blabalbal | blablabla | blablablabla  | blabla]  | chart blablaa

I wrote the initial query in notepad++, copied/pasted it which is what failed. When re-written without the tabs it was fine.
I assume there is a character it didn't like that was inserted by NP++.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...