Hello,
I am noticing the following strange behavior with a join. It is actually not returning results when I use a ****, but returns results when I provide the specific IP instead of * (thus returning no results after "casting a wider net"):
======================================
QUERY 1:
index=devices-syslog-ng DeviceName=TESTDEV earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226" | join joinkey1 [search index=CONN earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="****"] | search CID=18858272
NO RESULTS
======================================
QUERY 2:
index=devices-syslog-ng DeviceName=TESTDEV earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226" | join joinkey1 [search index=CONN earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226"] | search CID=18858272
42 RESULTS
======================================
Any ideas why this may be happening? I have also tried adjusting limits.conf:
[join]
subsearch_maxout = 0
subsearch_maxtime = 0
subsearch_timeout = 0
[subsearch]
maxout = 0
maxtime = 0
ttl = 0
[searchresults]
maxresultrows = 0
tocsv_maxretry = 5
tocsv_retryperiod_ms = 500
Take a look at this question and answer for how to replace join
with stats
: http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...
Hello! Did you try RemoteIP=*
? whithout ""
?
That makes no difference whatsoever.