Hello,
I have the results from a dashboard dropdown feeding another dropdown; and I receive this error.
There is also a Timepicker input.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: host=host.
Here is the first input.
<input type="dropdown" token="hostName">
<label>Host Name</label>
<prefix>host="</prefix>
<suffix>"</suffix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>
index=test_linuxevents
AND host!="*splunk*"
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
| stats count by host
</query>
</search>
</input>
This is the second input, which generates the error.
<input type="dropdown" token="userId">
<label>user</label>
<prefix>user="</prefix>
<suffix>"</suffix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>
index=test_linuxevents
AND host=$hostName$
AND sourcetype="Unix:UserAccounts"
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
| dedup user
</query>
</search>
</input>
In second input, I am using host=$hostName$. This is similar to what Splunk Dashboard Examples App has coded with user=$username$.
/simple_xml_examples/simple_form_cascading/editxml?form.username=
<fieldset autoRun="true">
<input type="dropdown" token="username">
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_internal | stats count by user</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</input>
<input type="radio" token="source">
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>index=_internal user=$username$| stats count by sourcetype</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
What am I missing?
Thanks in advance for your help.
God bless,
Genesius
@woodcock
Apologies to the Answers Forum; got dragged in various directions.
Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).
Lastly, moved the time from in the query to the end of the search tag.
Here is my code that stopped the error from occurring.
<input type="dropdown" token="userId" searchWhenChanged="true">
<label>user</label>
<fieldForLabel>acct</fieldForLabel>
<fieldForValue>acct</fieldForValue>
<search>
<query>
index="test_linuxevents"
AND source="/var/log/audit/audit.log"
AND host=$hostName$
| stats count by "acct"
</query>
<earliest>$Selected_Time_Range.earliest$</earliest>
<latest>$Selected_Time_Range.latest$</latest>
</search>
</input>
Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.
Thanks and God bless,
Genesius
@woodcock
Apologies to the Answers Forum; got dragged in various directions.
Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).
Lastly, moved the time from in the query to the end of the search tag.
Here is my code that stopped the error from occurring.
<input type="dropdown" token="userId" searchWhenChanged="true">
<label>user</label>
<fieldForLabel>acct</fieldForLabel>
<fieldForValue>acct</fieldForValue>
<search>
<query>
index="test_linuxevents"
AND source="/var/log/audit/audit.log"
AND host=$hostName$
| stats count by "acct"
</query>
<earliest>$Selected_Time_Range.earliest$</earliest>
<latest>$Selected_Time_Range.latest$</latest>
</search>
</input>
Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.
Thanks and God bless,
Genesius
Line 15 is probably the culprit:
| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
You'll need to encode the less-than and greater-than characters:
| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
@jpolvino
Actually that is what the XML code is. When I cut pasted it, the original XML was from the dashboard and I overwrote the with the SPL I wasa testing from the search screen (I forgot to change the<> in this post). It is current in my XML.
Thanks and God bless,
Genesius
Ok, then try removing the AND commands from line 14:
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
@jpolvino
Not sure what removing the ANDs will do. These are tokens from the Timepicker.
Thanks and God bless,
Genesius
Closing this post.
Thanks and God bless,
Genesius
So this is all working for you now? If so, come back and post your own answer and tell us what you did to fix it and click Accept
on your answer to close the questions officially/fully.