Hi,
I am getting the below error
'Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the left hand side'
My search looks like this
source="path\\to\\the\\files\\*" host="my" index="main" | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table _time Type Category Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB
My xml files looks like this
<form>
<label>7 days metrics</label>
<fieldset submitButton="false">
<input type="dropdown" token="TIME_STRING" searchWhenChanged="true">
<label>Select Day</label>
<choice value="earliest=@d latest=now">Today</choice>
<choice value="earliest=-d@d latest=@d">Yesterday</choice>
<choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
<choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
<choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
<choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
<choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
<choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
<default>earliest=@d latest=now</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>>$TIME_STRING$index = main | head 10</query>
<earliest>-4d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">10</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
But, I am getting the above error.
Can anyone help me on this?
Thank you.
There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10
and typo in earliest as well. 7 Days Ago
There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10
and typo in earliest as well. 7 Days Ago
Sorry i removed that.
But, new error came up here.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex
there should be a space between $TIME_STRING$ and index=main.
$TIME_STRING$ index=main
Perfect. But, i want the data in table format
<form>
<label>7 days metrics</label>
<fieldset submitButton="false">
<input type="dropdown" token="TIME_STRING" searchWhenChanged="true">
<label>Select Day</label>
<choice value="earliest=@d latest=now">Today</choice>
<choice value="earliest=-d@d latest=@d">Yesterday</choice>
<choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
<choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
<choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
<choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
<choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
<choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
<default>earliest=@d latest=now</default>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query> $TIME_STRING$ source="path\\*" host="my" index="main" | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table _time Type Category Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB </query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">10</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
Its giving me an error like invalid closing tag in query line
I placed the entire query in CDATA section. It's working now.Thank you for the help.
Please take a look at your code on line 21
<query>>$TIME_STRING$index = main | head 10</query>
<earliest>-4d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
There is extra >
Sorry i removed that.
But, new error came up here.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex