Solved: Error in 'Search Parser': Missing a closing tick m...

Kamlesh1905 · ‎04-04-2021

Dear Community Experts,

Need your urgent help on below error that I am getting when trying to run the below curl command,

search="search index=perfmon_idx host=* `M_Performance(Perfmon:CPU Load,% Processor Time)` instance=_Total | timechart avg(Value) by host | eval warning_threshold = 70 | eval critical_threshold = 90" -d output_mode=json -d earliest_time="-60m@m" -d latest_time="-0m@m" -o C:\CPULog.txt

Error in 'SearchParser': Missing a closing tick mark for macro expansion.

Can someone please help me to understand what is missing here ?

Kamlesh1905 · ‎04-04-2021

I got the issue in this search, percent sign ( % ) was the culprit. Batch file doesn't support it so I have to use the escape char. I changed my query and it worked,

\%% Processor Time)` instance=_Total

View solution in original post

tscroggins · ‎04-04-2021

@Kamlesh1905

I don't get exactly the same error, but curl on Windows may not be encoding the % correctly, giving unexpected results. Try explicitly encoding the % within the command-line:

curl ... -d search="search index=perfmon_idx host=* `M_Performance(Perfmon:CPU Load,%25 Processor Time)` instance=_Total | timechart avg(Value) by host | eval warning_threshold = 70 | eval critical_threshold = 90" -d output_mode=json -d earliest_time="-60m@m" -d latest_time="-0m@m" -o C:\CPULog.txt

Kamlesh1905 · ‎04-04-2021

I got the issue in this search, percent sign ( % ) was the culprit. Batch file doesn't support it so I have to use the escape char. I changed my query and it worked,

\%% Processor Time)` instance=_Total

Error in 'Search Parser': Missing a closing tick mark for macro expansion.

saved search

scheduled search

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM