Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

PARSER: Applying intentions failed Error in 'append' command: The last argument must be a subsearch.

msarro
Builder
‎10-04-2011 10:44 AM

Greetings everyone. I am trying to build a large search into a dashboard and getting the error shown in the title. Any ideas? It works just fine from the command line (other than the regex capture groups using the greater than/less than escape codes instead of symbols).

...
| append [search (index=prod_msp sourcetype=msp-prod Call_ID_1!=unknown Call_ID_1!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=prodcorr sourcetype=as-cdr AS_Direction=Terminating Call_ID_1!=NULL Call_ID_2!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_pbts PBTS_ORIG_SIP_CALL_ID!=NULL PBTS_TERM_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$)) OR (index=premed_sbc SBC_ORIG_SIP_CALL_ID!=NULL AND ($TN$ OR 1$TN$ OR +1$TN$))|eval CID1=Call_ID_1|eval CID2=coalesce(Call_ID_2,PBTS_TERM_SIP_CALL_ID)|eval CID3=coalesce(PBTS_ORIG_SIP_CALL_ID,SBC_TERM_SIP_CALL_ID)] 
...

As you can see, the last part of the append statement IS a subsearch, so I don't understand why splunk is complaining.

Tags (2)
Reply

moesaidi
Path Finder
‎03-16-2017 06:41 AM

Encountered a similar problem...
To fix, I re-wrote the query with spaces instead of tabs and it appears to have worked.
For example, I initially had:

index="searchindex" sourcetype="sourcetype" AND thisandthat
        | test1
        | test2
        | append [search blabalbal
                   | blablabla
                   | blablablabla
                   | blabla]
        | chart blablaa

Fixed by changing it to: 

index="searchindex" sourcetype="sourcetype" AND thisandthat | test1 | test2 | append [search blabalbal | blablabla | blablablabla  | blabla]  | chart blablaa

I wrote the initial query in notepad++, copied/pasted it which is what failed. When re-written without the tabs it was fine.
I assume there is a character it didn't like that was inserted by NP++.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...