topic Re: Why is search not executing? in Splunk Search

Why is search not executing?

mmor — Thu, 29 Aug 2019 16:06:09 GMT

Hello

I am using Splunk to analyze results from Qualys Vulnerability Scanning

I have noticed that one of my searches is not returning any results :

index="qualys" earliest=-0mon@mon |
 where host_ip="10.10.10.10"

I know there should be results for this specific search but the search almost instantly returns the "No results found" message with no errors or warning displayed

However, during my investigation, I noticed that if I add any subsearch to the original search, the search work as intended.
example:

 index="qualys" earliest=-0mon@mon  |
 where host_ip="10.10.10.10"  | append 
     [ search index=qualys 
     | tail 1]

This search should append only 1 line after the original search, but it now returns 36 results and takes more than 5 minutes (35 results are what we expect from the original search).

Did anyone encounter this issue?

Regards

Re: Why is search not executing?

mayurr98 — Thu, 29 Aug 2019 16:35:34 GMT

try this?

index="qualys" earliest=-0mon@mon host_ip="10.10.10.10" | table _raw

and then try without table as well.

Re: Why is search not executing?

diogofgm — Thu, 29 Aug 2019 16:43:11 GMT

Use this

index="qualys" earliest=@mon host_ip="10.10.10.10"

there is no point on using |wheresince you're filtering. just do it in the main search
also since your point is from beginning of the month you can just use earliest=@mon

Re: Why is search not executing?

mmor — Fri, 30 Aug 2019 13:51:55 GMT

Hello,

Thanks for your answer.

This does fix the issue for this specific search but i'd like to know why my original search is not working in case this issue is affecting my other searches

Regards