I have a search that is populated by a lookup file and filtering out matches returned by subsearch. When the subsearch fails the alert fires. This is the wrong behavior! The alert should not fire:
|inputlookup the_list.csv | search NOT [ search index=main | dedup host | fields host ]
When my sub search fails, evidence:
Audit:[timestamp=01-11-2015 00:00:47.651, user=n/a, action=search, info=failed, searchid='subsearchschedulerUSERNAMEsearch_XXXXXXXXXXXXXXat1420934400287911420934427.1', totalruntime=2.97, eventcount=0, resultcount=0, availablecount=0, scancount=0, dropcount=0, exectime=1420934427, apiet=1420920000.000000000, apilt=1420934400.000000000, searchet=1420920000.000000000, searchlt=1420934400.000000000, isrealtime=0, savedsearch_name=""][n/a]
The alert fires! This is the wrong behavior.
What is the alert based on? Number of events?
Can you run ?