Dashboards & Visualizations

Invalid term on the left hand side

genesiusj
Builder

Hello,
I have the results from a dashboard dropdown feeding another dropdown; and I receive this error.
There is also a Timepicker input.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: host=host.

Here is the first input.

    <input type="dropdown" token="hostName">
      <label>Host Name</label>
      <prefix>host="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice> 
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>
          index=test_linuxevents 
          AND host!="*splunk*" 
          AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
          | stats count by host
        </query>
      </search>
    </input>

This is the second input, which generates the error.

    <input type="dropdown" token="userId">
      <label>user</label>
      <prefix>user="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
         <query>
          index=test_linuxevents 
            AND host=$hostName$ 
            AND sourcetype="Unix:UserAccounts" 
            AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
           | rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
           | dedup user
        </query>
      </search>
    </input>

In second input, I am using host=$hostName$. This is similar to what Splunk Dashboard Examples App has coded with user=$username$.
/simple_xml_examples/simple_form_cascading/editxml?form.username=

    <fieldset autoRun="true">
        <input type="dropdown" token="username">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>user</fieldForLabel>
            <fieldForValue>user</fieldForValue>
            <search>
                <query>index=_internal | stats count by user</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
        <input type="radio" token="source">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>sourcetype</fieldForLabel>
            <fieldForValue>sourcetype</fieldForValue>
            <search>
                <query>index=_internal user=$username$| stats count by sourcetype</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
    </fieldset>

What am I missing?
Thanks in advance for your help.
God bless,
Genesius

0 Karma
1 Solution

genesiusj
Builder

@woodcock
Apologies to the Answers Forum; got dragged in various directions.

Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).

Lastly, moved the time from in the query to the end of the search tag.

Here is my code that stopped the error from occurring.

    <input type="dropdown" token="userId" searchWhenChanged="true">
      <label>user</label>
      <fieldForLabel>acct</fieldForLabel>
      <fieldForValue>acct</fieldForValue>
      <search>
        <query>
          index="test_linuxevents"
            AND source="/var/log/audit/audit.log"
            AND host=$hostName$ 
          | stats count by "acct"
        </query>
        <earliest>$Selected_Time_Range.earliest$</earliest>
        <latest>$Selected_Time_Range.latest$</latest>
      </search>
    </input>

Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.

Thanks and God bless,
Genesius

View solution in original post

0 Karma

genesiusj
Builder

@woodcock
Apologies to the Answers Forum; got dragged in various directions.

Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).

Lastly, moved the time from in the query to the end of the search tag.

Here is my code that stopped the error from occurring.

    <input type="dropdown" token="userId" searchWhenChanged="true">
      <label>user</label>
      <fieldForLabel>acct</fieldForLabel>
      <fieldForValue>acct</fieldForValue>
      <search>
        <query>
          index="test_linuxevents"
            AND source="/var/log/audit/audit.log"
            AND host=$hostName$ 
          | stats count by "acct"
        </query>
        <earliest>$Selected_Time_Range.earliest$</earliest>
        <latest>$Selected_Time_Range.latest$</latest>
      </search>
    </input>

Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.

Thanks and God bless,
Genesius

0 Karma

jpolvino
Builder

Line 15 is probably the culprit:

| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"

You'll need to encode the less-than and greater-than characters:

| rex field=_raw "user=(?&lt;user&gt;[a-zA-Z0-9]*\s)"
0 Karma

genesiusj
Builder

@jpolvino
Actually that is what the XML code is. When I cut pasted it, the original XML was from the dashboard and I overwrote the with the SPL I wasa testing from the search screen (I forgot to change the<> in this post). It is current in my XML.
Thanks and God bless,
Genesius

0 Karma

jpolvino
Builder

Ok, then try removing the AND commands from line 14:
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$

0 Karma

genesiusj
Builder

@jpolvino
Not sure what removing the ANDs will do. These are tokens from the Timepicker.
Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

Closing this post.
Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

So this is all working for you now? If so, come back and post your own answer and tell us what you did to fix it and click Accept on your answer to close the questions officially/fully.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...