Solved: Re: invalid term on the left hand side - Splunk Community

Dashboards & Visualizations

Any advice on how to fix this command? I pulled it from GoSplunk "Show all successful Splunk configurations by user."

This is on Splunk Enterprise. Below is my entered command and I am getting the error:

Comparator '=' has an invalid term on the left hand side: host=object

index=_audit action=edit* info=granted operation!=list host= object=*
| transaction action user operation host maxspan=30s
| stats values(action) as action values(object) as modified_object by _time,operation,user,host
| rename user as modified_by
| table _time action modified_object modified_by

1 Solution

Solution

did you tried host="*" ?

might not shoe the comparator error

View solution in original post

I don't know if it's a trascrition error, but there's "host=" without any object.

Ciao.

Giuseppe

Am I to replace "object" with a targeted network/host ID?

Solution

did you tried host="*" ?

might not shoe the comparator error

what is the condition you need?

I don't know what you want to search, I found that you cannot put in a search a condition without a value.

What is the search you're running?

Do you have the error yet?

Ciao.

Giuseppe

in other words, the solution I hinted.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors. 😉

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card! Hello there, Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...