topic Why does my search "tag=x NOT tag=y" returns "No results found"? in All Apps and Add-ons

Why does my search "tag=x NOT tag=y" returns "No results found"?

coleman07 — Fri, 17 Oct 2014 06:14:33 GMT

I am very confused as to why I am getting "No results found" when searching for events matching tags=x but has no properties which would assign tag y to it. The reason for this search would be to weed out events with both tags but I would have thought if tag y is orthogonal to tag x, all events for tag x should appear. Very confused.

I am working with the Splunk Windows add-on and here is a real search that boggles my mind. First, let me define two tags used in the add-on:

lock eventtype=windows_account_lockout
port eventtype=script_listeningports,eventtype=windows_firewall_port_listening

These two tags look very orthogonal. None of the lock events should match the port tag and vice versa.

When I run the following search:

tag=port NOT tag=lock

I get back events with tag port included. If I remove the NOT statement, nothing changes in terms of tags.

Flip the search like so:

tag=lock NOT tag=port

It comes back stating "No results found" yet when I look at the different tags associated with just the search:

tag=lock

none of the tags include port so the NOT part shouldn't exclude any data. What is going on in this situation? Why the results I am seeing? I was in the process of implementing an app written by Splunk which does precisely a search like this and it is causing the dashboard to fail.

Re: Why does my search "tag=x NOT tag=y" returns "No results found"?

bgaignon — Fri, 17 Oct 2014 09:53:18 GMT

Hi,

Can you confirm that:

search tag=port OK
search tag=lock OK
search tag=port NOT tag=lock OK
search tag=lock NOT tag=port NOT OK

That doesn't make sense. Can you share the complete search ? Do you make some filters before ?

Re: Why does my search "tag=x NOT tag=y" returns "No results found"?

coleman07 — Fri, 17 Oct 2014 20:38:14 GMT

I did confirm it while I wrote the question. I wanted to be sure that both the lock tag and port tag produced data. I am not clear what you mean by complete search. The two lines above are the complete search.

Re: Why does my search "tag=x NOT tag=y" returns "No results found"?

coleman07 — Mon, 20 Oct 2014 21:36:37 GMT

I looked at the job inspector and the LISP code produced by it. The following LISP code corresponds to the search: "tag=port NOT tag=lock":
[AND [OR sourcetype::script:listeningports [AND sourcetype:::Security [OR 4957 861 source::]]][OR[NOT source::][NOT sourcetype:::security]]]

Whereas the search for "tag=lock NOT tag=port" results in this LISP code:
[AND sourcetype::*:security [NOT sourcetype::script:listeningport][OR 4740 644 source::*][OR[NOT source::][NOT sourcetype:::security]]]

Because the OR in the first code statement short circuits the NOT statements, it appears this is why you get events from that search. If I am reading the LISP code correctly for the second search, it appears to boil down to [AND sourcetype:::Security [NOT sourcetype:::Security]] which I assume would produce no results and this seems like a bug in the compiler for creating the search. Am I correct?

Re: Why does my search "tag=x NOT tag=y" returns "No results found"?

joebensimo — Tue, 28 Apr 2015 05:08:13 GMT

I have this same problem with v6.0. It appears that NOT does not work with tags. 😞

Re: Why does my search "tag=x NOT tag=y" returns "No results found"?

woodcock — Tue, 05 May 2015 23:46:05 GMT

If this is a problem, it has to do with using eventtypes and as such, I suspect that it only is a problem with eventtypes that use wildcards. Will you list out your eventtypes?

v6 works fine when using tags for index-time extracted field KVPs for tags.