I'm an end user! It appears to be just my user account. we dont seem to be able to find the answer
When I do any search (such as index="med") I get
"Error in 'litsearch' command: Unable to parse the search: unbalanced parentheses."
When I go through the logs I was surprised to see that such a simple search resulted in
litsearch (index="med" index=nessus ((source="SI - EZproxy" orig_sourcetype="nessus:scan") OR sourcetype="nessus:scan") | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine") | litsearch (index="med" index=nessus sourcetype=nessus:scan | lookup Device_Details nt_host as host-fqdn output bunit | search bunit="Medicine") | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1660905790.000000 lt=1660906690.000000 remove=true max_count=1000 max_prefetch=100
While the parenthesis balance, I read somewhere they they have to balance within the pipe (|), which they don't.
We do indeed have a nessus index and several months ago someone started work on getting nessus reporting dashboard in splunk to work (still ongoing). However I am not sure why a simple search on index=Med would reference "nessus".
Does the litsearch command look wrong?
Where is it picking up the conf to produce such a command and can it be fixed?
I have tried to create a table view of "med" and I get no entries rather than an error. I did that because it would be good to see the index to know its not a permission error.
Perhaps your role has a Search Filter defined that is causing the error. If so, work with your Splunk admin to fix it.
Yes, parentheses must match within a pipe.