Solved: Why does my search return error "Unable to parse t...

HealyDPS · ‎01-30-2017

I had this search working and now it seems to have stopped gives an error. Thoughts?

Search:

index=symantec sourcetype=file Host_Name=[search index=dhcp "*ip address*" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Error:

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

harshal_chakran · ‎01-30-2017

Try using it like this:

 index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Removed the comparator and used subsearch.

View solution in original post

abhinav_maxonic · ‎07-17-2017

Check the macro definition in macros.conf at the location /opt/splunk/etc/apps/digitalguardian_web . In my case, the marco was wrongly defined.

$SPLUNK_HOME$/etc/apps/digitalguardian_web/local/macros.conf
Wrong Definition -
[index_macro]
definition = index=digitalguardian
Right Definition
[index_macro]
definition = digitalguardian

jplumsdaine22 · ‎01-31-2017

The error is most likely triggereing because the subsearch [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "$(?.*?)$"| dedup Hostname | table Hostname | return $Hostname] is resolving to NULL, therefore your outer search is being run as

index=symantec sourcetype=file Host_Name= | ... etc

Check that your subsearch returns results, either by running the search on its own or look in the job inspector

HealyDPS · ‎01-31-2017

I did the sub search and I get the information I am looking for. So how would I fix this now? Also I put in the information wrong. I am added a more correct search string.

harshal_chakran · ‎01-30-2017

Try using it like this:

 index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Removed the comparator and used subsearch.

HealyDPS · ‎01-31-2017

Thanks that worked. Plus I figured out why no results were coming back. Thanks again.

jplumsdaine22 · ‎01-31-2017

This is a saner method for sure

HealyDPS · ‎01-31-2017

So I did this:

No longer getting error but I am getting no results. But if I put the results of the subsearch in search I will get the results I want. Both searches seems to work by themselves but not together.

Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!