I have a search that is populated by a lookup file and filtering out matches returned by subsearch. When the subsearch fails the alert fires. This is the wrong behavior! The alert should not fire:
|inputlookup the_list.csv | search NOT [ search index=main | dedup host | fields host ]
When my sub search fails, evidence:
Audit:[timestamp=01-11-2015 00:00:47.651, user=n/a, action=search, info=failed, search_id='subsearch_scheduler_USERNAMEsearch_XXXXXXXXXXXXXX_at_1420934400_28791_1420934427.1', total_run_time=2.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1420934427, api_et=1420920000.000000000, api_lt=1420934400.000000000, search_et=1420920000.000000000, search_lt=1420934400.000000000, is_realtime=0, savedsearch_name=""][n/a]
The alert fires! This is the wrong behavior.
What is the alert based on? Number of events?
Can you run ?