Re: Why does my search "tag=x NOT tag=y" returns "...

coleman07 · ‎10-16-2014

I am very confused as to why I am getting "No results found" when searching for events matching tags=x but has no properties which would assign tag y to it. The reason for this search would be to weed out events with both tags but I would have thought if tag y is orthogonal to tag x, all events for tag x should appear. Very confused.

I am working with the Splunk Windows add-on and here is a real search that boggles my mind. First, let me define two tags used in the add-on:

lock eventtype=windows_account_lockout
port eventtype=script_listeningports,eventtype=windows_firewall_port_listening

These two tags look very orthogonal. None of the lock events should match the port tag and vice versa.

When I run the following search:

tag=port NOT tag=lock

I get back events with tag port included. If I remove the NOT statement, nothing changes in terms of tags.

Flip the search like so:

tag=lock NOT tag=port

It comes back stating "No results found" yet when I look at the different tags associated with just the search:

tag=lock

none of the tags include port so the NOT part shouldn't exclude any data. What is going on in this situation? Why the results I am seeing? I was in the process of implementing an app written by Splunk which does precisely a search like this and it is causing the dashboard to fail.

woodcock · ‎05-05-2015

If this is a problem, it has to do with using eventtypes and as such, I suspect that it only is a problem with eventtypes that use wildcards. Will you list out your eventtypes?

v6 works fine when using tags for index-time extracted field KVPs for tags.

coleman07 · ‎10-20-2014

I looked at the job inspector and the LISP code produced by it. The following LISP code corresponds to the search: "tag=port NOT tag=lock":
[AND [OR sourcetype::script:listeningports [AND sourcetype:::Security [OR 4957 861 source::]]][OR[NOT source::][NOT sourcetype:::security]]]

Whereas the search for "tag=lock NOT tag=port" results in this LISP code:
[AND sourcetype::*:security [NOT sourcetype::script:listeningport][OR 4740 644 source::*][OR[NOT source::][NOT sourcetype:::security]]]

Because the OR in the first code statement short circuits the NOT statements, it appears this is why you get events from that search. If I am reading the LISP code correctly for the second search, it appears to boil down to [AND sourcetype:::Security [NOT sourcetype:::Security]] which I assume would produce no results and this seems like a bug in the compiler for creating the search. Am I correct?

bgaignon · ‎10-17-2014

Hi,

Can you confirm that:

search tag=port OK
search tag=lock OK
search tag=port NOT tag=lock OK
search tag=lock NOT tag=port NOT OK

That doesn't make sense. Can you share the complete search ? Do you make some filters before ?

coleman07 · ‎10-17-2014

I did confirm it while I wrote the question. I wanted to be sure that both the lock tag and port tag produced data. I am not clear what you mean by complete search. The two lines above are the complete search.

joebensimo · ‎04-27-2015

I have this same problem with v6.0. It appears that NOT does not work with tags. 😞

Why does my search "tag=x NOT tag=y" returns "No results found"?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor