Solved: Re: Error in 'search' command: Unable to parse the...

buttsurfer · ‎02-12-2023

index=index1 type=1 feature IN ([search index=index1 type=type2 application=weather_app
    | dedup feature
    | fields feature
    | format
    ])

The above code returns this error and i cant seem to figure out how to fix it. Any help would be appreciated

Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. '((feature = "feature1") OR (feature = "feature2") OR (feature = "feature3") OR (feature = "feature4") is not a literal.

buttsurfer · ‎02-12-2023

Fixed it by adding

          | dedup feature
          | fields feature
          | format "" "" "" "" "," ""
          | eval search=replace (search, "feature=", "")

View solution in original post

buttsurfer · ‎02-12-2023

Fixed it by adding

          | dedup feature
          | fields feature
          | format "" "" "" "" "," ""
          | eval search=replace (search, "feature=", "")

gcusello · ‎02-12-2023

Hi @buttsurfer,

you can also use this easier solution:

index=index1 type=1 [search index=index1 type=type2 application=weather_app | rename feature AS query | fields query ]
| ...

Ciao.

Giuseppe

Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals?

other

subsearch

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?