topic Re: Invalid term on the left hand side in Dashboards & Visualizations

Invalid term on the left hand side

genesiusj — Wed, 30 Sep 2020 01:40:41 GMT

Hello,
I have the results from a dashboard dropdown feeding another dropdown; and I receive this error.
There is also a Timepicker input.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: host=host.

Here is the first input.

    <input type="dropdown" token="hostName">
      <label>Host Name</label>
      <prefix>host="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice> 
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>
          index=test_linuxevents 
          AND host!="*splunk*" 
          AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
          | stats count by host
        </query>
      </search>
    </input>

This is the second input, which generates the error.

    <input type="dropdown" token="userId">
      <label>user</label>
      <prefix>user="</prefix>
      <suffix>"</suffix>
      <default>*</default>
      <choice value="*">All</choice>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
         <query>
          index=test_linuxevents 
            AND host=$hostName$ 
            AND sourcetype="Unix:UserAccounts" 
            AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$
           | rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"
           | dedup user
        </query>
      </search>
    </input>

In second input, I am using host=$hostName$. This is similar to what Splunk Dashboard Examples App has coded with user=$username$.
/simple_xml_examples/simple_form_cascading/editxml?form.username=

    <fieldset autoRun="true">
        <input type="dropdown" token="username">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>user</fieldForLabel>
            <fieldForValue>user</fieldForValue>
            <search>
                <query>index=_internal | stats count by user</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
        <input type="radio" token="source">
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>sourcetype</fieldForLabel>
            <fieldForValue>sourcetype</fieldForValue>
            <search>
                <query>index=_internal user=$username$| stats count by sourcetype</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
    </fieldset>

What am I missing?
Thanks in advance for your help.
God bless,
Genesius

Re: Invalid term on the left hand side

jpolvino — Fri, 09 Aug 2019 15:58:47 GMT

Line 15 is probably the culprit:

| rex field=_raw "user=(?<user>[a-zA-Z0-9]*\s)"

You'll need to encode the less-than and greater-than characters:

| rex field=_raw "user=(?&lt;user&gt;[a-zA-Z0-9]*\s)"

Re: Invalid term on the left hand side

genesiusj — Fri, 09 Aug 2019 17:50:05 GMT

@jpolvino
Actually that is what the XML code is. When I cut pasted it, the original XML was from the dashboard and I overwrote the with the SPL I wasa testing from the search screen (I forgot to change the<> in this post). It is current in my XML.
Thanks and God bless,
Genesius

Re: Invalid term on the left hand side

jpolvino — Wed, 30 Sep 2020 01:40:46 GMT

Ok, then try removing the AND commands from line 14:
AND earliest=$Selected_Time_Range.earliest$ AND latest=$Selected_Time_Range.latest$

Re: Invalid term on the left hand side

genesiusj — Wed, 14 Aug 2019 19:53:08 GMT

@jpolvino
Not sure what removing the ANDs will do. These are tokens from the Timepicker.
Thanks and God bless,
Genesius

Re: Invalid term on the left hand side

genesiusj — Thu, 26 Sep 2019 13:41:11 GMT

Closing this post.
Thanks and God bless,
Genesius

Re: Invalid term on the left hand side

woodcock — Sun, 10 Nov 2019 23:10:18 GMT

So this is all working for you now? If so, come back and post your own answer and tell us what you did to fix it and click Accept on your answer to close the questions officially/fully.

Re: Invalid term on the left hand side

genesiusj — Tue, 12 Nov 2019 13:34:01 GMT

@woodcock
Apologies to the Answers Forum; got dragged in various directions.

Removed the prefix, suffix, default and choice value tags.
Changed the fieldForLabel and fieldForValue tags from user to acct. This is used later as the last command in the query.
Changed from sourcetype=Unix:UserAccounts to source=/var/log/audit/audit.log. The list of users is more accurate for the time frame.
Replaced the | rex and | dedup commands in my original code, with | stats count by "acct". No exactly sure why this would work though. I would think it should be |stats value(acct).

Lastly, moved the time from in the query to the end of the search tag.

Here is my code that stopped the error from occurring.

    <input type="dropdown" token="userId" searchWhenChanged="true">
      <label>user</label>
      <fieldForLabel>acct</fieldForLabel>
      <fieldForValue>acct</fieldForValue>
      <search>
        <query>
          index="test_linuxevents"
            AND source="/var/log/audit/audit.log"
            AND host=$hostName$ 
          | stats count by "acct"
        </query>
        <earliest>$Selected_Time_Range.earliest$</earliest>
        <latest>$Selected_Time_Range.latest$</latest>
      </search>
    </input>

Since it accomplished what I needed, I will accept this as the answer. However, as mentioned above, not quite sure why.

Thanks and God bless,
Genesius