I have 2 queries in same format out of which query#1 is working and query#2 is not working and throwing error " UnifiedSearch - Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the right hand side.
09-29-2015 08:01:32.328 ERROR SearchStateListener - Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the right hand side."
When I run separately both queries are generating results, but when I set them as alerts query#1 is getting triggered when met condition and query#2 is not triggering when it has to. I got this error for 'inspect job'
query#1:
index="index" sourcetype="sourcetype" OperationName="Operation1" OR "Operation2" OR "Operation3"
ActivityStep=rs | stats exactperc99(Duration) as Latency by OperationName |
eval cases= if(OperationName="Operation1" AND Latency>25000, "Operation1Alert",cases)
| eval cases= if (OperationName="Operation2" AND Latency>25000, "Operation2Alert",cases)
|eval cases= if (OperationName="Operation3" AND Latency>4500,"Operation3Alert",cases)
| eval hold= if(cases=="Operation1Alert",count,0)| eval Verify=if(cases=="Operation2Alert",count,0)
| eval RetrievePlan=if(cases=="Operation3Alert",count,0)|stats count by cases,Latency| where count>0
query#2:
index="index" sourcetype="sourcetype" OperationName="Operation4" OR "Operation5" OR "VerifyOperation5" OR "Operation6" OR "Operation7"
ActivityStep=rs | stats exactperc99(Duration) as Latency by OperationName |
eval cases= if (OperationName="Operation4" AND Latency>0, "Operation4Alert",cases)
|eval cases= if (OperationName="Operation5" AND Latency>70000,"Operation5Alert",cases)
| eval cases= if (OperationName="VerifyOperation5" AND Latency>6000,"VerifyOperation5Alert",cases)
| eval cases= if(OperationName="Operation6" AND Latency>100, "Operation6Alert",cases)
| eval cases= if(OperationName="Operation7" AND Latency>1000, "Operation7Alert",cases)
| eval Commithold= if(cases=="Operation4",count,0)|eval Return=if(cases=="Operation5Alert",count,0)
| eval VerifyR=if(cases=="VerifyOperation5",count,0)|eval Charge=if(cases=="Operation6Alert",count,0)
| eval Abandon=if(cases=="Operation7Alert",count,0) |stats count by cases,Latency| where count>0
Please help me on getting query#2 to work.
Thanks for helping me. I found the reason for query#2 for not working. I have savedsearches.conf and in that I mentioned relationship as 'greater than' and 'Quantity' as 5 instead of 'quantity'. The upper case 'Q' got me into problems.
Thanks !
Thanks for helping me. I found the reason for query#2 for not working. I have savedsearches.conf and in that I mentioned relationship as 'greater than' and 'Quantity' as 5 instead of 'quantity'. The upper case 'Q' got me into problems.
Thanks !
Good to hear that you're issue is resolved. Please accept this answer to close the question.
Both searches work for me but you should definitely be doing a single eval cases=case
instead of all of those chained eval cases=if
statements.
In the eval for Commithold/hold/Verify etc, you're referencing a field count which is not available. I believe those evals should come after your stats count by cases latency