Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

PARSER: Applying intentions failed Error in 'append' command: The last argument must be a subsearch.

msarro
Builder
‎10-04-2011 10:44 AM

Greetings everyone. I am trying to build a large search into a dashboard and getting the error shown in the title. Any ideas? It works just fine from the command line (other than the regex capture groups using the greater than/less than escape codes instead of symbols).

...
| append [search (index=prod_msp sourcetype=msp-prod Call_ID_1!=unknown Call_ID_1!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=prodcorr sourcetype=as-cdr AS_Direction=Terminating Call_ID_1!=NULL Call_ID_2!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_pbts PBTS_ORIG_SIP_CALL_ID!=NULL PBTS_TERM_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_sbc SBC_ORIG_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$))|eval CID1=Call_ID_1|eval CID2=coalesce(Call_ID_2,PBTS_TERM_SIP_CALL_ID)|eval CID3=coalesce(PBTS_ORIG_SIP_CALL_ID,SBC_TERM_SIP_CALL_ID)] 
...

As you can see, the last part of the append statement IS a subsearch, so I don't understand why splunk is complaining.

Tags (2)
Reply

moesaidi
Path Finder
‎03-16-2017 06:41 AM

Encountered a similar problem...
To fix, I re-wrote the query with spaces instead of tabs and it appears to have worked.
For example, I initially had:

index="searchindex" sourcetype="sourcetype" AND thisandthat
        | test1
        | test2
        | append [search blabalbal
                   | blablabla
                   | blablablabla
                   | blabla]
        | chart blablaa

Fixed by changing it to: 

index="searchindex" sourcetype="sourcetype" AND thisandthat | test1 | test2 | append [search blabalbal | blablabla | blablablabla  | blabla]  | chart blablaa

I wrote the initial query in notepad++, copied/pasted it which is what failed. When re-written without the tabs it was fine.
I assume there is a character it didn't like that was inserted by NP++.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...