https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-fix-litsearch-command-Unable-to-parse-the-search/m-p/610535#M9100 <P>I'm an end user! It appears to be just my user account. we dont seem to be able to find the answer</P> <P>When I do <U>any search</U> (such as <EM><STRONG>index="med"</STRONG></EM>) I get&nbsp;<BR /><EM><STRONG>"Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses."</STRONG></EM></P> <P>When I go through the logs I was surprised to see that such a simple search resulted in</P> <P class="lia-align-justify"><EM><STRONG>litsearch (index="med" index=nessus ((source="SI - EZproxy" orig_sourcetype="nessus:scan") OR sourcetype="nessus:scan") | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine"<FONT face="andale mono,times" size="4" color="#000000">)</FONT> | litsearch (index="med" index=nessus sourcetype=nessus:scan | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine") | fields&nbsp; keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"&nbsp; | remotetl&nbsp; nb=300 et=1660905790.000000 lt=1660906690.000000 remove=true max_count=1000 max_prefetch=100</STRONG></EM></P> <P>While the parenthesis balance, I read somewhere they they have to balance within the pipe (|), which they don't.&nbsp;</P> <P>We do indeed have a nessus index and several months ago someone started work on getting nessus reporting dashboard in splunk to work (still ongoing). However I am not sure why a simple search on index=Med would reference "nessus".&nbsp;</P> <P>Does the litsearch command look wrong?<BR />Where is it picking up the conf to produce such a command and can it be fixed?<BR /><BR /><FONT face="inherit">I have tried to create a table view of&nbsp; "med" and I get no </FONT>entries<FONT face="inherit">&nbsp;rather than an error. I did that </FONT>because<FONT face="inherit">&nbsp;it would be good to see the </FONT>index<FONT face="inherit">&nbsp;to know its not a permission error.</FONT></P> <P>&nbsp;</P> Wed, 24 Aug 2022 13:58:27 GMT Mr_Johnson42 2022-08-24T13:58:27Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-fix-litsearch-command-Unable-to-parse-the-search/m-p/610535#M9100 <P>I'm an end user! It appears to be just my user account. we dont seem to be able to find the answer</P> <P>When I do <U>any search</U> (such as <EM><STRONG>index="med"</STRONG></EM>) I get&nbsp;<BR /><EM><STRONG>"Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses."</STRONG></EM></P> <P>When I go through the logs I was surprised to see that such a simple search resulted in</P> <P class="lia-align-justify"><EM><STRONG>litsearch (index="med" index=nessus ((source="SI - EZproxy" orig_sourcetype="nessus:scan") OR sourcetype="nessus:scan") | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine"<FONT face="andale mono,times" size="4" color="#000000">)</FONT> | litsearch (index="med" index=nessus sourcetype=nessus:scan | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine") | fields&nbsp; keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"&nbsp; | remotetl&nbsp; nb=300 et=1660905790.000000 lt=1660906690.000000 remove=true max_count=1000 max_prefetch=100</STRONG></EM></P> <P>While the parenthesis balance, I read somewhere they they have to balance within the pipe (|), which they don't.&nbsp;</P> <P>We do indeed have a nessus index and several months ago someone started work on getting nessus reporting dashboard in splunk to work (still ongoing). However I am not sure why a simple search on index=Med would reference "nessus".&nbsp;</P> <P>Does the litsearch command look wrong?<BR />Where is it picking up the conf to produce such a command and can it be fixed?<BR /><BR /><FONT face="inherit">I have tried to create a table view of&nbsp; "med" and I get no </FONT>entries<FONT face="inherit">&nbsp;rather than an error. I did that </FONT>because<FONT face="inherit">&nbsp;it would be good to see the </FONT>index<FONT face="inherit">&nbsp;to know its not a permission error.</FONT></P> <P>&nbsp;</P> Wed, 24 Aug 2022 13:58:27 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-fix-litsearch-command-Unable-to-parse-the-search/m-p/610535#M9100 Mr_Johnson42 2022-08-24T13:58:27Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-fix-litsearch-command-Unable-to-parse-the-search/m-p/610544#M9101 <P>Perhaps your role has a Search Filter defined that is causing the error.&nbsp; If so, work with your Splunk admin to fix it.</P><P>Yes, parentheses must match within a pipe.</P> Tue, 23 Aug 2022 18:19:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-fix-litsearch-command-Unable-to-parse-the-search/m-p/610544#M9101 richgalloway 2022-08-23T18:19:59Z