Solved: After upgrading to 7.0.x searches, using NOT host=...

pradeepkumarg · ‎07-27-2018

After upgrade to 7.0.x searches using NOT host= filters are giving no results with the warning in the job inspector as "The specified search with not match any events"

Is there a known issue and workaround surrounding this?

As simple as below doesn't work

index=_internal NOT host=abc

Thanks!

Pradeep

pradeepkumarg · ‎07-27-2018

Splunk acknowledged this as a bug introduced in 7.0.2 and exists on all 7.0.x versions. This affects when you use NOT on a field that is part of an autolookup. Will update this thread as I learn more on the bug and the fix.

Bug# - SPL-157848
Workaround - set enable_conditional_expansion to true in limits.conf

This bug doesn't impact 7.1.x versions

View solution in original post

pradeepkumarg · ‎07-27-2018

Splunk acknowledged this as a bug introduced in 7.0.2 and exists on all 7.0.x versions. This affects when you use NOT on a field that is part of an autolookup. Will update this thread as I learn more on the bug and the fix.

Bug# - SPL-157848
Workaround - set enable_conditional_expansion to true in limits.conf

This bug doesn't impact 7.1.x versions

tiagofbmm · ‎08-10-2018

Do you change that parameter only in the Search Head?

pradeepkumarg · ‎08-20-2018

yes.. only search heads

After upgrading to 7.0.x searches, using NOT host= filters gives no results

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann