All Apps and Add-ons

Data not populating and overview search returns error

Path Finder

select the server host via the overview I get the follow error:

Error in 'SearchParser': Missing a search command before '|'

The same is true for all metric types.

index=jmx sourcetype=jmx host="xxxxxxxx" jvmDescription="*" mbean_domain="java.lang" mbean_property_type="OperatingSystem" OR "Runtime"
| eval swapUsed=swapSpace-freeSwap
| eval memoryUsed=physMem-freePhysMem
| bucket _time span=1m
| stats first(name) as name first(version) as version first(arch) as arch first(jvmUptime) as jvmUptime first(cpuTime) as cpuTime first(processors) as cpus first(sysLoad) as sysLoad first(openFD) as openFD first(maxFD) as maxFD first(physMem) as physMem first(memoryUsed) as memoryUsed first(swapSpace) as swapSpace first(swapUsed) as swapUsed first(committed) as committed by _time host jvmDescription
| | stats first(name) as OS first(version) as Version first(arch) as Architecture by host jvmDescription | sort jvmDescription

0 Karma

Explorer

Hi,

I am having exactly the same issue. My install was a fresh install of Splunk 5.0.4 and jmx app 2.0.3. Mine seems to be working for the most part, but whenever I click a host in the overview, I would get the error:

PARSER: Applying intentions failed Error in 'SearchParser': Missing a search command before '|'.

The only change I made after I installed the JMX app was creating a new config file based on the default config.xml. The changes I made to that new config file were host, jvmDescription, and jmxport.

Any help would be greatly appreciated!

Thanks!

0 Karma

Explorer

Hi,

Could you elaborate a bit more on this:

Splunk 5.0+ , if you only want to use as a JMX Modular Input

and how this would be related to the errors I am seeing? Are you saying that the errors I am seeing are expected?

Thanks!

0 Karma

Ultra Champion

From the Docs :

Dependencies

Splunk 5.0+ , if you only want to use as a JMX Modular Input
Splunk 6.0+ , if you want to use the Simple XML dashboards also
0 Karma

Ultra Champion

I suggest you stick to the the out of the box documentation and default Simple XML view examples and name your sourcetype to be "jmx". For some reason editing the example xml views to change the sourcetype seems to be giving you some issues (as per other thread).

0 Karma

Ultra Champion

Works fine on 3 different Splunk instances for me.

I can only ascertain that somewhere in your environment there must be locally changed XML view (not the default ones) , that has an edit error in it because I can replicate the error by deliberately hacking my xml view to make it erroneous. Try grepping for "| | stats first(name)"

0 Karma

Path Finder

I will email it to you as it does not fit in the comment or Post section of Splunk Answers.

Thank you for looking at this.

JB

0 Karma

Ultra Champion

Can you post your entire jvm_operatingsystem.xml file please

0 Karma

Path Finder



<!-- Connect to a JVM via the remote JMX interface -->



[jmx://jetty_xxxxxxxx]
config_file = jetty_xxxxxxx.xml
host = xxxxxxxx
index = jmx
polling_frequency = 60
sourcetype = jmx

Path Finder

this is a instance of Splunk6.0 using jmx2.0 with no changes.

Below is the config.xml and inputs.conf from the Forwarder side app. the same is on the Splunk server side, created using modular input.

0 Karma

Ultra Champion

Is this on the version you have edited ? Or on a completely fresh version you have not edited in any way ? Also , what Splunk version are you on. I am trying to ascertain why your environment ,and no others I have ever seen , behaves like this. Can you post your entire jvm_operatingsystem.xml file please.

0 Karma

Path Finder

Yes that seems to be the issue for all of the metrics. Please correct me if I am wrong, but shouldn't that be populated by the app when I click on the server overview?

0 Karma

Ultra Champion

In your post above your have 2 pipes with nothing in between : ".....jvmDescription | | stats first(name)....."

0 Karma

Path Finder

Hello Damien,

I had only attempted changing it on one metric and then changed it back to JMX. So all of the Metrics are using the out of the box configuration. Same with the inputs.conf, sourcetype is set to JMX.

To validate that I do have any other configurations that are off, I attempted loading JMS on another instance of Splunk and continue to have the same issue with no data populating and overview continues to report the same error.

Error in 'SearchParser': Missing a search command before '|'

Thank you,

JB

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!