Splunk Search

Error when trying to use a subsearch (Unable to parse the search: Right hand side of IN must be a collection of literals

cyp112
Engager

Hello,

I am trying to use a subsearch on another search but not sure how to format it properly

Subsearch:

eventtype=pan (https://link1.net OR https://link2.net OR https://link3.net)
| rex field=url "LEN_(?<serial>\w+)"
| fillnull value=NULL src_bunit, serial
| fields src_bunit
| dedup src_bunit
| mvcombine src_bunit delim=","
| nomv src_bunit | format

The syntax shown from the format command is:

( src_bunit="A,B,C,D,E,F" ) )

 

On the main search I get this error:

Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

The main search

eventtype=dsp_inventory device_control_tags="IMPORTANT*" code IN([subsearch

 

My question is how can a format the subsearch in a way that on the main search it will show results like?:

A,B,C,D,E,F       instead of     src_bunit="A,B,C,D,E,F"    

 

Any ideas? Thank you!

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Replace the 'format' command with

return $src_bunit

that will return A,B,C,D,E,F

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Replace the 'format' command with

return $src_bunit

that will return A,B,C,D,E,F

 

cyp112
Engager

That did it. Thanks a lot. You sir are a God!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...