Dashboards & Visualizations

PARSER: Applying intentions failed Error in 'append' command: The last argument must be a subsearch.

msarro
Builder

Greetings everyone. I am trying to build a large search into a dashboard and getting the error shown in the title. Any ideas? It works just fine from the command line (other than the regex capture groups using the greater than/less than escape codes instead of symbols).

...
| append [search (index=prod_msp sourcetype=msp-prod Call_ID_1!=unknown Call_ID_1!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=prodcorr sourcetype=as-cdr AS_Direction=Terminating Call_ID_1!=NULL Call_ID_2!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_pbts PBTS_ORIG_SIP_CALL_ID!=NULL PBTS_TERM_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_sbc SBC_ORIG_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$))|eval CID1=Call_ID_1|eval CID2=coalesce(Call_ID_2,PBTS_TERM_SIP_CALL_ID)|eval CID3=coalesce(PBTS_ORIG_SIP_CALL_ID,SBC_TERM_SIP_CALL_ID)] 
...

As you can see, the last part of the append statement IS a subsearch, so I don't understand why splunk is complaining.

Tags (2)

moesaidi
Path Finder

Encountered a similar problem...
To fix, I re-wrote the query with spaces instead of tabs and it appears to have worked.
For example, I initially had:

index="searchindex" sourcetype="sourcetype" AND thisandthat
        | test1
        | test2
        | append [search blabalbal
                   | blablabla
                   | blablablabla
                   | blabla]
        | chart blablaa

Fixed by changing it to:

index="searchindex" sourcetype="sourcetype" AND thisandthat | test1 | test2 | append [search blabalbal | blablabla | blablablabla  | blabla]  | chart blablaa

I wrote the initial query in notepad++, copied/pasted it which is what failed. When re-written without the tabs it was fine.
I assume there is a character it didn't like that was inserted by NP++.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...