topic Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"? in Splunk Search

Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

HealyDPS — Mon, 30 Jan 2017 22:02:27 GMT

I had this search working and now it seems to have stopped gives an error. Thoughts?

Search:

index=symantec sourcetype=file Host_Name=[search index=dhcp "*ip address*" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Error:

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

harshal_chakran — Tue, 31 Jan 2017 07:17:58 GMT

Try using it like this:

 index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Removed the comparator and used subsearch.

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

jplumsdaine22 — Tue, 31 Jan 2017 09:23:42 GMT

The error is most likely triggereing because the subsearch [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "$(?.*?)$"| dedup Hostname | table Hostname | return $Hostname] is resolving to NULL, therefore your outer search is being run as

index=symantec sourcetype=file Host_Name= | ... etc

Check that your subsearch returns results, either by running the search on its own or look in the job inspector

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

HealyDPS — Tue, 31 Jan 2017 13:46:18 GMT

I did the sub search and I get the information I am looking for. So how would I fix this now? Also I put in the information wrong. I am added a more correct search string.

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

jplumsdaine22 — Tue, 31 Jan 2017 13:49:42 GMT

This is a saner method for sure

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

HealyDPS — Tue, 29 Sep 2020 12:40:46 GMT

So I did this:

No longer getting error but I am getting no results. But if I put the results of the subsearch in search I will get the results I want. Both searches seems to work by themselves but not together.

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

HealyDPS — Tue, 31 Jan 2017 14:32:46 GMT

Thanks that worked. Plus I figured out why no results were coming back. Thanks again.

Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

abhinav_maxonic — Tue, 29 Sep 2020 14:55:20 GMT

Check the macro definition in macros.conf at the location /opt/splunk/etc/apps/digitalguardian_web . In my case, the marco was wrongly defined.

$SPLUNK_HOME$/etc/apps/digitalguardian_web/local/macros.conf
Wrong Definition -
[index_macro]
definition = index=digitalguardian
Right Definition
[index_macro]
definition = digitalguardian