https://community.splunk.com/t5/Splunk-ITSI/Unable-to-save-correlation-search-in-ITSI-getting-error-quot/m-p/458716#M1605 <P>Hello,</P> <P>Using ITSI on Splunk Cloud.</P> <P>Using the following search to create a correlation search</P> <P><CODE>search pattern<BR /> | eval MatchPattern = <BR /> [| inputlookup test.csv <BR /> | eval PatternToSearch="\"%".Error."%\"" <BR /> | eval commandToExecute="message LIKE ".PatternToSearch.",\"".Message."\"" <BR /> | fields commandToExecute <BR /> | stats delim="," values(commandToExecute) as commandToExecute <BR /> | mvcombine commandToExecute <BR /> | eval commandToExecute="case(".commandToExecute.",1=1,\"UnMatched\")" <BR /> | return $commandToExecute] <BR /> | fillnull MatchPattern value="Null" <BR /> | search MatchPattern!= "UnMatched"</CODE></P> <P>The search runs fine but when I try to save the correlation search, I get the error <CODE>"Invalid search string: This search cannot be parsed when parse_only is set to true."</CODE> which I found is a Javascript limitation. Any workaround for this?</P> Tue, 14 May 2019 10:29:50 GMT bangalorep 2019-05-14T10:29:50Z https://community.splunk.com/t5/Splunk-ITSI/Unable-to-save-correlation-search-in-ITSI-getting-error-quot/m-p/458716#M1605 <P>Hello,</P> <P>Using ITSI on Splunk Cloud.</P> <P>Using the following search to create a correlation search</P> <P><CODE>search pattern<BR /> | eval MatchPattern = <BR /> [| inputlookup test.csv <BR /> | eval PatternToSearch="\"%".Error."%\"" <BR /> | eval commandToExecute="message LIKE ".PatternToSearch.",\"".Message."\"" <BR /> | fields commandToExecute <BR /> | stats delim="," values(commandToExecute) as commandToExecute <BR /> | mvcombine commandToExecute <BR /> | eval commandToExecute="case(".commandToExecute.",1=1,\"UnMatched\")" <BR /> | return $commandToExecute] <BR /> | fillnull MatchPattern value="Null" <BR /> | search MatchPattern!= "UnMatched"</CODE></P> <P>The search runs fine but when I try to save the correlation search, I get the error <CODE>"Invalid search string: This search cannot be parsed when parse_only is set to true."</CODE> which I found is a Javascript limitation. Any workaround for this?</P> Tue, 14 May 2019 10:29:50 GMT https://community.splunk.com/t5/Splunk-ITSI/Unable-to-save-correlation-search-in-ITSI-getting-error-quot/m-p/458716#M1605 bangalorep 2019-05-14T10:29:50Z https://community.splunk.com/t5/Splunk-ITSI/Unable-to-save-correlation-search-in-ITSI-getting-error-quot/m-p/511047#M2106 <P><SPAN>You can't use a sub-search returning into an eval in a correlation search. As a workaround:</SPAN></P><P><SPAN>1. Create and save a basic correlation search with all of the information you want outside of the search. </SPAN></P><P><SPAN>2. As an admin user, go to <STRONG>Settings &gt; Searches, reports, and alerts</STRONG> and open the correlation search you just created. </SPAN></P><P><SPAN>3. Add the sub-search you were trying to add there.</SPAN></P><P>This workaround is also documented in known issue&nbsp;<A href="https://docs.splunk.com/Documentation/ITSI/latest/ReleaseNotes/Knownissues#Uncategorized_issues" target="_self"><SPAN>ITSI-3322</SPAN></A>&nbsp;<SPAN>in the release notes.</SPAN>&nbsp;</P> Mon, 27 Jul 2020 05:41:52 GMT https://community.splunk.com/t5/Splunk-ITSI/Unable-to-save-correlation-search-in-ITSI-getting-error-quot/m-p/511047#M2106 esnyder_splunk 2020-07-27T05:41:52Z