https://community.splunk.com/t5/Splunk-Search/Error-Message-About-Literals/m-p/465651#M191736 <P><CODE>IN</CODE> requires a comma-separated list of field names, numbers, or strings. Run the subsearches alone and you'll find they are not returning such output. Creative use of the <CODE>format</CODE> command may be able to remedy that.</P> Thu, 24 Oct 2019 14:46:53 GMT richgalloway 2019-10-24T14:46:53Z https://community.splunk.com/t5/Splunk-Search/Error-Message-About-Literals/m-p/465650#M191735 <P>Hello,<BR /> One of my biggest pet peeves about software is the lack of information around error messages. Obviously, a developer wrote the error code and its associated message. However, most software has a vast black hole around such messages.</P> <P>Case is point.<BR /> <STRONG>"Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. '(localrefid = "WW201929400001699")' is not a literal."</STRONG></P> <P>If I Google this error <STRONG>"Unable to parse the search: Right hand side of IN must be a collection of literals. "</STRONG>, I receive ONE hit.<BR /> <A href="http://splunk476.rssing.com/chan-54950717/all_p1789.html">link text</A></P> <P>Searching this page for <STRONG>literal</STRONG> leads to<BR /> <A href="http://splunk476.rssing.com/browser.php?indx=54950717&amp;item=35772">link text</A></P> <P>Which in turn leads to NOWHERE, none of the links work.</P> <P>Here is my code.</P> <PRE><CODE>index="test" AND priority="INFO" AND ("STARTED" OR "FINISHED") AND (localrefid IN [ search index="test" AND priority="INFO" AND (localrefid!="12345" AND localrefid!="null" OR localrefid!="") AND ("STARTED" OR "FINISHED") | dedup localrefid | table localrefid ] OR token IN [ search index="test" AND priority="INFO" AND localrefid!="12345" AND (token!="null" AND token!="") AND ("STARTED" OR "FINISHED") | dedup token | table token ] ) | dedup _raw | rex field=_raw "(FINISHED|STARTED\s)\:\s(?&lt;transMethod&gt;\w*)\s" | rex field=_raw "Total Time\s(?&lt;methodTime&gt;\d*\.?\d*)\sseconds" | eval methodTime=round(methodTime,3) | transaction localrefid, token | sort +_time, localrefid, token | table _time, appName, transMethod, localrefid, token, eventcount, methodTime, _raw </CODE></PRE> <P>Thanks in advance for your assistance with this undocumented error (at least in my search of the Internet), and for dealing with my pet peeve. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>God bless,<BR /> Genesius</P> Thu, 24 Oct 2019 14:28:06 GMT https://community.splunk.com/t5/Splunk-Search/Error-Message-About-Literals/m-p/465650#M191735 genesiusj 2019-10-24T14:28:06Z https://community.splunk.com/t5/Splunk-Search/Error-Message-About-Literals/m-p/465651#M191736 <P><CODE>IN</CODE> requires a comma-separated list of field names, numbers, or strings. Run the subsearches alone and you'll find they are not returning such output. Creative use of the <CODE>format</CODE> command may be able to remedy that.</P> Thu, 24 Oct 2019 14:46:53 GMT https://community.splunk.com/t5/Splunk-Search/Error-Message-About-Literals/m-p/465651#M191736 richgalloway 2019-10-24T14:46:53Z