Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?

HealyDPS
Explorer
‎01-30-2017 02:02 PM

I had this search working and now it seems to have stopped gives an error. Thoughts?

Search:

index=symantec sourcetype=file Host_Name=[search index=dhcp "*ip address*" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Error:

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harshal_chakran
Builder
‎01-30-2017 11:17 PM

Try using it like this:

 index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Removed the comparator and used subsearch.

View solution in original post

Reply
Solved! Jump to solution

abhinav_maxonic
Path Finder
‎07-17-2017 04:08 AM

Check the macro definition in macros.conf at the location /opt/splunk/etc/apps/digitalguardian_web . In my case, the marco was wrongly defined.

$SPLUNK_HOME$/etc/apps/digitalguardian_web/local/macros.conf
Wrong Definition -
[index_macro]
definition = index=digitalguardian
Right Definition
[index_macro]
definition = digitalguardian

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-31-2017 01:23 AM

The error is most likely triggereing because the subsearch [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | return $Hostname] is resolving to NULL, therefore your outer search is being run as 

index=symantec sourcetype=file Host_Name= | ... etc

Check that your subsearch returns results, either by running the search on its own or look in the job inspector

0 Karma
Reply
Solved! Jump to solution

HealyDPS
Explorer
‎01-31-2017 05:46 AM

I did the sub search and I get the information I am looking for. So how would I fix this now? Also I put in the information wrong. I am added a more correct search string.

0 Karma
Reply
Solved! Jump to solution
Solution

harshal_chakran
Builder
‎01-30-2017 11:17 PM

Try using it like this:

 index=symantec sourcetype=file [search index=dhcp "Require for all Events or Make "*"" "DHCPACK" AND "RENEW"| sort by _time desc | rex "\((?.*?)\)"| dedup Hostname | table Hostname | rename Hostname as Host_Name] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

Removed the comparator and used subsearch.

Reply
Solved! Jump to solution

HealyDPS
Explorer
‎01-31-2017 06:32 AM

Thanks that worked. Plus I figured out why no results were coming back. Thanks again.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-31-2017 05:49 AM

This is a saner method for sure

0 Karma
Reply
Solved! Jump to solution

HealyDPS
Explorer
‎01-31-2017 06:25 AM

So I did this:

index=symantec sourcetype=symantecfield [search index=dhcp "ip" "DHCPACK" AND "RENEW"| sort by _time desc | rex "((?.*?))"| dedup Hostname | table Hostname | return $Hostname] | dedup user | eval time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table time,Host_Name,user,_raw

No longer getting error but I am getting no results. But if I put the results of the subsearch in search I will get the results I want. Both searches seems to work by themselves but not together.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...