Reputation: 1407
Splunk subsearch return empty
The following search returned 258 events:
index="index001" AND exception AND maintainRewardsProductSwitch NOT DebitCardRewardsMaintainServiceImpl AND "Ineligible"
Then I used subsearch to include all events having the same trace as well:
index="index001" AND exception AND maintainRewardsProductSwitch NOT DebitCardRewardsMaintainServiceImpl
[search "Ineligible" | table LogMessage.message.trace]
and it returned no events. Was there anything wrong with my subsearch?
Upvotes: 0
Views: 50
Answers (1)
Reputation: 9926
Recall that subsearches run before the main search and that the results of the subsearch replace the subsearch text (similar to a macro).
In this case, Splunk will search all of your default indexes (which could be none) for the string "Inelible" and return the values found in the LogMessage.message.trace field.
That makes the main search into something like
index="index001" AND exception AND maintainRewardsProductSwitch NOT DebitCardRewardsMaintainServiceImpl
(LogMessage.message.trace="foo" OR LogMessage.message.trace="bar" OR LogMessage.message.trace="baz")
So why does the query return no results with the subsearch? Perhaps index001 does not contain a LogMessage.message.trace field or the field does not contain the values found by the subsearch.
Upvotes: 1
Related Questions
- Splunk - Extracting from search results using regex and aggregates
- How to show nested structures in Splunk table
- splunk map pass multiple values
- Splunk search events
- SPLUNK use result from first search in second search
- Extract a field from nested json in a splunk query
- Splunk left jion is not giving as exepcted
- Splunk query filter out based on other event in same index
- Splunk search no subsearch
- Adding a constraint to a Splunk search yields more result rows