After upgrade to 7.0.x searches using NOT host= filters are giving no results with the warning in the job inspector as "The specified search with not match any events"
Is there a known issue and workaround surrounding this?
As simple as below doesn't work
index=_internal NOT host=abc
Thanks!
Pradeep
Splunk acknowledged this as a bug introduced in 7.0.2 and exists on all 7.0.x versions. This affects when you use NOT on a field that is part of an autolookup. Will update this thread as I learn more on the bug and the fix.
Bug# - SPL-157848
Workaround - set enable_conditional_expansion to true in limits.conf
This bug doesn't impact 7.1.x versions
Splunk acknowledged this as a bug introduced in 7.0.2 and exists on all 7.0.x versions. This affects when you use NOT on a field that is part of an autolookup. Will update this thread as I learn more on the bug and the fix.
Bug# - SPL-157848
Workaround - set enable_conditional_expansion to true in limits.conf
This bug doesn't impact 7.1.x versions
Do you change that parameter only in the Search Head?
yes.. only search heads