Why is there an error "error in 'search' command" ...

cj04 · ‎03-14-2022

<title> Clam Scan Results </title> <event>
<search> ref="anti-virus scan results">
</search>
<option name="list.drilldown"
>none</option>

I have been trying to input this query into Splunk and I am getting the following error: error in 'search' command: unable to parse the search: Comparator '<' is missing a term on the left hand side.

I have removed the > before the ref, but I still get the same result. Can anyone help me solve this?

SanjayReddy · ‎03-14-2022

Hi @cj04

Hope you are using your code inside dashboard,

please use following code inside dashboard

<row>
<panel>
<event>
<title> Clam Scan Results </title>
<search ref="anti-virus scan results"> </search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>

richgalloway · ‎03-14-2022

Where exactly are you trying to put this text?

The quoted text is Simple XML from a dashboard, not SPL one can put into a search box. It seems like this is being pasted into the Search & Reporting app and the SPL parser is failing on the first '<'.

What problem are you trying to solve with this text?

---
If this reply helps you, Karma would be appreciated.

cj04 · ‎03-14-2022

What do I need to edit so I can post this into the Search & Reporting and get the desired outcome?

cj04 · ‎03-14-2022

What am I trying to solve is from my "Clam Scan Results" I am wanting Splunk to pick those up. I am using this text in the search portion of Splunk, but I am also new to Splunk. How can I properly get this setup where my results are posting in Splunk?

Why is there an error "error in 'search' command" in my search?

using Splunk Enterprise

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)