There are a couple of things that could be possible issues and since we don't have the complete rule here, if something isn't defined in the events or match sections properly, these issues may be part of the reason you are getting an error. 

I put together a set of 4 blogs on metrics, here is the first one https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-Metrics-in-YARA-L-... but this one highlights the basic foundations of how a rule with a metric might look with your criteria in the events section, the match section containing whatever you are aggregating by with a time window of over 1d which basically is the present that we will then use to compare against the yesterday(s) in the metrics.

This blog starts getting into the statistical measures and what you might want to set in the condition section of the rule to establish a threshold for the rule to trigger against when comparing today's measures against the historical measure https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-Metrics-in-YARA-L-...

Finally, I would take a look at the docs around metrics because you have a number of options to choose from https://cloud.google.com/chronicle/docs/detection/metrics-functions#functions

The principal.user.userid is certainly a fine choose for the filter, but as @dnehoda mentions, you will want to make sure that this is a placeholder variable in the events section of the rule, and I would probably also use it as the match variable as well. If you wanted a more granular metric to calculate on, you can, the lists in the functions in the docs provide the combinations you can use, you just need to make sure that the entire combination is used in the metric as well.

Hopefully these few tips help get you going in the right direction but if you have more questions, don't hesitate to reach out!