topic Re: subsearch not working in Splunk Search

subsearch not working

benzmmrmnn86 — Wed, 04 Dec 2019 15:04:35 GMT

I have an alert using a subsearch that was working a few weeks ago. Now all of a sudden i cannot get any subsearchs to work. A very simple search i performed is:

index=IndexName sourcetype=WindowsEventLogs [search sourcetype="VPNLogs" CN=Ben_zimmermann
| table CN]

If i perform each search individually, i get results but when i put them together, i do not get any results.

Re: subsearch not working

oscar84x — Wed, 04 Dec 2019 15:33:46 GMT

Off the top of my head, could you try specifying the index in the subsearch?

Re: subsearch not working

jpolvino — Wed, 04 Dec 2019 15:49:00 GMT

Can you please run it against a time period that is known to be good? You mention a few weeks, so try a little before that when you know you had positive alerts. Maybe the composition of your logs has changed.

Re: subsearch not working

gcusello — Wed, 04 Dec 2019 15:49:14 GMT

HI @benzmmrmnn86,
when you run the subsearch by itself, what's the number of results?
remember that there's the limit of 50,000 results in subsearches, so if you have more results. maybe the ones you need are the exceeding part of results.
You could modify subsearch as the following:

index=IndexName sourcetype=WindowsEventLogs [search index=my_index sourcetype="VPNLogs" CN=Ben_zimmermann
| dedup CN | table CN]

Then I agree with @oscar84x: it's a good practice to use always the index in every search and subsearch.

Ciao.
Giuseppe