Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid term on the left hand side

genesiusj
Builder
‎08-09-2019 08:26 AM

Hello,
I have the results from a dashboard dropdown feeding another dropdown; and I receive this error.
There is also a Timepicker input.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: host=host.

Here is the first input.

    <input type="dropdown" token="hostName">
      <label>Host Name</label>
      <prefix>host="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice> 
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>
          index=test_linuxevents 
          AND host!="*splunk*" 
          AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
          | stats count by host
        </query>
      </search>
    </input>

This is the second input, which generates the error.

    <input type="dropdown" token="userId">
      <label>user</label>
      <prefix>user="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
         <query>
          index=test_linuxevents 
            AND host=$hostName$ 
            AND sourcetype="Unix:UserAccounts" 
            AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
           | rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
           | dedup user
        </query>
      </search>
    </input>

In second input, I am using host=$hostName$. This is similar to what Splunk Dashboard Examples App has coded with user=$username$.
/simple_xml_examples/simple_form_cascading/editxml?form.username=

    <fieldset autoRun="true">
        <input type="dropdown" token="username">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>user</fieldForLabel>
            <fieldForValue>user</fieldForValue>
            <search>
                <query>index=_internal | stats count by user</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
        <input type="radio" token="source">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>sourcetype</fieldForLabel>
            <fieldForValue>sourcetype</fieldForValue>
            <search>
                <query>index=_internal user=$username$| stats count by sourcetype</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
    </fieldset>

What am I missing?
Thanks in advance for your help.
God bless,
Genesius

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

genesiusj
Builder
‎11-12-2019 05:34 AM

@woodcock
Apologies to the Answers Forum; got dragged in various directions.

Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).

Lastly, moved the time from in the query to the end of the search tag.

Here is my code that stopped the error from occurring. 

    <input type="dropdown" token="userId" searchWhenChanged="true">
      <label>user</label>
      <fieldForLabel>acct</fieldForLabel>
      <fieldForValue>acct</fieldForValue>
      <search>
        <query>
          index="test_linuxevents"
            AND source="/var/log/audit/audit.log"
            AND host=$hostName$ 
          | stats count by "acct"
        </query>
        <earliest>$Selected_Time_Range.earliest$</earliest>
        <latest>$Selected_Time_Range.latest$</latest>
      </search>
    </input>

Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.

Thanks and God bless,
Genesius

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

genesiusj
Builder
‎11-12-2019 05:34 AM

@woodcock
Apologies to the Answers Forum; got dragged in various directions.

Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).

Lastly, moved the time from in the query to the end of the search tag.

Here is my code that stopped the error from occurring. 

    <input type="dropdown" token="userId" searchWhenChanged="true">
      <label>user</label>
      <fieldForLabel>acct</fieldForLabel>
      <fieldForValue>acct</fieldForValue>
      <search>
        <query>
          index="test_linuxevents"
            AND source="/var/log/audit/audit.log"
            AND host=$hostName$ 
          | stats count by "acct"
        </query>
        <earliest>$Selected_Time_Range.earliest$</earliest>
        <latest>$Selected_Time_Range.latest$</latest>
      </search>
    </input>

Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎08-09-2019 08:58 AM

Line 15 is probably the culprit:

| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"

You'll need to encode the less-than and greater-than characters:

| rex field=_raw "user=(?&lt;user&gt;[a-zA-Z0-9]*\s)"
0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎08-09-2019 10:50 AM

@jpolvino
Actually that is what the XML code is. When I cut pasted it, the original XML was from the dashboard and I overwrote the with the SPL I wasa testing from the search screen (I forgot to change the<> in this post). It is current in my XML.
Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎08-09-2019 11:02 AM

Ok, then try removing the AND commands from line 14:
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎08-14-2019 12:53 PM

@jpolvino
Not sure what removing the ANDs will do. These are tokens from the Timepicker.
Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎09-26-2019 06:41 AM

Closing this post.
Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-10-2019 03:10 PM

So this is all working for you now? If so, come back and post your own answer and tell us what you did to fix it and click Accept on your answer to close the questions officially/fully.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...