Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Failed to parse templatized search for field....

IRHM73
Motivator
‎03-14-2019 07:46 AM

Hi.

I wonder whether someone may be able to help me please.

I'm using the query below:

| multisearch
[ search `gateway_wmf(APIClientRequest)` path=*test*]
[ search `wso2_wmf(APIRequestCompleted)` "request.detail.Context"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| rename request.detail.applicationProductionClientId as ClientID 
| lookup consumercalls.csv ClientID OUTPUT Developer
| eval header=""
| foreach clientHeaders.test* [eval header=header+test<<MATCHSTR>>]
| bucket span=10s _time
| chart values(ClientID) as ClientID sum(clientHeaders.test*) as clientHeaders.test* by RequestID
| fields - RequestID

The query works except that on random days when I receive this error:

Failed to parse templatized search for field 'clientHeaders.test-client-device-id{}'

From comparing these dates I've discovered that it's because the fieldname has the {}.

Could someone tell me please is there a way to get around this?

Many thanks and kind regards

Chris

0 Karma
Reply

tmurata_splunk
Splunk Employee
Splunk Employee
‎08-21-2019 02:23 AM

I saw a similar message below
[splunk-idx1] Failed to parse templatized search for field 'tag::eventtype'

This error was caused by following forearch command.

| foreach *
[ eval <<FIELD>> = if(isnull(<<FIELD>>),"",<<FIELD>>)]

I think the <> template cannot handle fields contains special characters. I worked around this by adding | fields - tag::eventtype just before the foreach.
You can probably work around by adding | fields - 'clientHeaders.test-client-device-id{}'

Reply

adonio
Ultra Champion
‎03-15-2019 07:36 AM

is that a JSON format data?
look into the | spath command

0 Karma
Reply

IRHM73
Motivator
‎03-19-2019 12:25 AM

Hi @adonio. Thank you for coming back to me with this.

Yes the data is in a JSON style format, but this is a fieldname and not data which I have an issue with.

Many thanks and kind regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...