Splunk Search

'Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the left hand side'

prathapkcsc
Explorer

Hi,
I am getting the below error
'Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the left hand side'

My search looks like this

source="path\\to\\the\\files\\*" host="my" index="main"  | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table  _time Type Category  Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB

My xml files looks like this

<form>
  <label>7 days metrics</label>
  <fieldset submitButton="false">
    <input type="dropdown"  token="TIME_STRING" searchWhenChanged="true">
      <label>Select Day</label>
          <choice value="earliest=@d latest=now">Today</choice>
       <choice value="earliest=-d@d latest=@d">Yesterday</choice>
       <choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
       <choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
       <choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
       <choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
       <choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
       <choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
       <default>earliest=@d latest=now</default>
     </input>
  </fieldset>
  <row>
    <panel>
     <event>
        <search>
          <query>>$TIME_STRING$index = main | head 10</query>
          <earliest>-4d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
           <option name="count">20</option>
           <option name="list.drilldown">none</option>
           <option name="list.wrap">1</option>
           <option name="maxLines">10</option>
           <option name="raw.drilldown">full</option>
           <option name="rowNumbers">0</option>
           <option name="table.drilldown">all</option>
           <option name="table.sortDirection">asc</option>
           <option name="table.wrap">1</option>
           <option name="type">list</option>
    </event>
    </panel>
  </row>
</form>

But, I am getting the above error.
Can anyone help me on this?
Thank you.

Tags (3)
0 Karma
1 Solution

sbbadri
Motivator

There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10

and typo in earliest as well. 7 Days Ago

View solution in original post

0 Karma

sbbadri
Motivator

There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10

and typo in earliest as well. 7 Days Ago

0 Karma

prathapkcsc
Explorer

Sorry i removed that.
But, new error came up here.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex

0 Karma

sbbadri
Motivator

there should be a space between $TIME_STRING$ and index=main.

$TIME_STRING$ index=main

0 Karma

prathapkcsc
Explorer

Perfect. But, i want the data in table format

<form>
  <label>7 days metrics</label>
  <fieldset submitButton="false">
    <input type="dropdown"  token="TIME_STRING" searchWhenChanged="true">
      <label>Select Day</label>
          <choice value="earliest=@d latest=now">Today</choice>
       <choice value="earliest=-d@d latest=@d">Yesterday</choice>
       <choice value="earliest=-2d@d latest=-d@d">2 Days Ago</choice>
       <choice value="earliest=-3d@d latest=-2d@d">3 Days Ago</choice>
       <choice value="earliest=-4d@d latest=-3d@d">4 Days Ago</choice>
       <choice value="earliest=-5d@d latest=-4d@d">5 Day Ago</choice>
       <choice value="earliest=-6d@d latest=-5d@d">6 Days Ago</choice>
       <choice value="eariiest=-7d@d latest=-6d@d">7 Days Ago</choice>
       <default>earliest=@d latest=now</default>
     </input>
  </fieldset>
  <row>
    <panel>
     <event>
        <search>
          <query> $TIME_STRING$ source="path\\*" host="my" index="main"  | rex "^\s*(?<Type>[^,]+),\s*(?<Category>[^,]+),\s*(?<date>\d{4}-\d{2}-\d{2}),\s*(?<time>\d{2}\:\d{2}),\s*(?<Count>\d+),\s*(?<Cpu_Usage_Percentage>[^,]+),\s*(?<Total_Disk_TB>[^,]+),\s*(?<Used_Disk_TB>[^,]+),\s*(?<Total_Memory_GB>[^,]+),\s*(?<Used_Memory_GB>\S+)"
| table  _time Type Category  Count Cpu_Usage_Percentage Total_Disk_TB Used_Disk_TB Total_Memory_GB Used_Memory_GB </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
           <option name="count">20</option>
           <option name="list.drilldown">none</option>
           <option name="list.wrap">1</option>
           <option name="maxLines">10</option>
           <option name="raw.drilldown">full</option>
           <option name="rowNumbers">0</option>
           <option name="table.drilldown">all</option>
           <option name="table.sortDirection">asc</option>
           <option name="table.wrap">1</option>
           <option name="type">list</option>
    </event>
    </panel>
  </row>
</form>

Its giving me an error like invalid closing tag in query line

0 Karma

prathapkcsc
Explorer

I placed the entire query in CDATA section. It's working now.Thank you for the help.

0 Karma

Grumpalot
Communicator

Please take a look at your code on line 21

       <query>>$TIME_STRING$index = main | head 10</query>
       <earliest>-4d</earliest>
       <latest>now</latest>
       <sampleRatio>1</sampleRatio>
     </search>

There is extra >

0 Karma

prathapkcsc
Explorer

Sorry i removed that.
But, new error came up here.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: latest=nowindex

0 Karma