Splunk Search

'Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the left hand side'

prathapkcsc
Explorer

Hi,
I am getting the below error
'Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the left hand side'

My search looks like this

source="path\\to\\the\\files\\*" host="my" index="main"  | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table  _time Type Category  Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB

My xml files looks like this

<form>
  <label>7 days metrics</label>
  <fieldset submitButton="false">
    <input type="dropdown"  token="TIME_STRING" searchWhenChanged="true">
      <label>Select Day</label>
          <choice value="earliest=@d latest=now">Today</choice>
       <choice value="earliest=-d@d latest=@d">Yesterday</choice>
       <choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
       <choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
       <choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
       <choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
       <choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
       <choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
       <default>earliest=@d latest=now</default>
     </input>
  </fieldset>
  <row>
    <panel>
     <event>
        <search>
          <query>>$TIME_STRING$index = main | head 10</query>
          <earliest>-4d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
           <option name="count">20</option>
           <option name="list.drilldown">none</option>
           <option name="list.wrap">1</option>
           <option name="maxLines">10</option>
           <option name="raw.drilldown">full</option>
           <option name="rowNumbers">0</option>
           <option name="table.drilldown">all</option>
           <option name="table.sortDirection">asc</option>
           <option name="table.wrap">1</option>
           <option name="type">list</option>
    </event>
    </panel>
  </row>
</form>

But, I am getting the above error.
Can anyone help me on this?
Thank you.

Tags (3)
0 Karma
1 Solution

sbbadri
Motivator

There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10

and typo in earliest as well. 7 Days Ago

View solution in original post

0 Karma

sbbadri
Motivator

There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10

and typo in earliest as well. 7 Days Ago

0 Karma

prathapkcsc
Explorer

Sorry i removed that.
But, new error came up here.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex

0 Karma

sbbadri
Motivator

there should be a space between $TIME_STRING$ and index=main.

$TIME_STRING$ index=main

0 Karma

prathapkcsc
Explorer

Perfect. But, i want the data in table format

<form>
  <label>7 days metrics</label>
  <fieldset submitButton="false">
    <input type="dropdown"  token="TIME_STRING" searchWhenChanged="true">
      <label>Select Day</label>
          <choice value="earliest=@d latest=now">Today</choice>
       <choice value="earliest=-d@d latest=@d">Yesterday</choice>
       <choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
       <choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
       <choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
       <choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
       <choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
       <choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
       <default>earliest=@d latest=now</default>
     </input>
  </fieldset>
  <row>
    <panel>
     <event>
        <search>
          <query> $TIME_STRING$ source="path\\*" host="my" index="main"  | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table  _time Type Category  Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
           <option name="count">20</option>
           <option name="list.drilldown">none</option>
           <option name="list.wrap">1</option>
           <option name="maxLines">10</option>
           <option name="raw.drilldown">full</option>
           <option name="rowNumbers">0</option>
           <option name="table.drilldown">all</option>
           <option name="table.sortDirection">asc</option>
           <option name="table.wrap">1</option>
           <option name="type">list</option>
    </event>
    </panel>
  </row>
</form>

Its giving me an error like invalid closing tag in query line

0 Karma

prathapkcsc
Explorer

I placed the entire query in CDATA section. It's working now.Thank you for the help.

0 Karma

Grumpalot
Communicator

Please take a look at your code on line 21

       <query>>$TIME_STRING$index = main | head 10</query>
       <earliest>-4d</earliest>
       <latest>now</latest>
       <sampleRatio>1</sampleRatio>
     </search>

There is extra >

0 Karma

prathapkcsc
Explorer

Sorry i removed that.
But, new error came up here.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...