Splunk Search

Why does a join query not return results unless I give specific field values?

Communicator

Hello,

I am noticing the following strange behavior with a join. It is actually not returning results when I use a ****, but returns results when I provide the specific IP instead of * (thus returning no results after "casting a wider net"):

======================================
QUERY 1:
index=devices-syslog-ng DeviceName=TESTDEV earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226" | join joinkey1 [search index=CONN earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="****"] | search CID=18858272

NO RESULTS

======================================

QUERY 2:
index=devices-syslog-ng DeviceName=TESTDEV earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226" | join joinkey1 [search index=CONN earliest=05/21/2015:00:00:00 latest=05/23/2015:00:00:00 RemoteIP="46.32.233.226"] | search CID=18858272

42 RESULTS

======================================

Any ideas why this may be happening? I have also tried adjusting limits.conf:

[join]
subsearchmaxout = 0
subsearch
maxtime = 0
subsearch_timeout = 0

[subsearch]

maximum number of results to return from a subsearch

maxout = 0

maximum number of seconds to run a subsearch before finalizing

maxtime = 0

time to cache a given subsearch's results

ttl = 0

[searchresults]
maxresultrows = 0

maximum number of times to try in the atomic write operation (1 = no retries)

tocsv_maxretry = 5

retry period is 1/2 second (500 milliseconds)

tocsvretryperiodms = 500

0 Karma

SplunkTrust
SplunkTrust

Take a look at this question and answer for how to replace join with stats: http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

Motivator

Hello! Did you try RemoteIP=*? whithout ""?

0 Karma

SplunkTrust
SplunkTrust

That makes no difference whatsoever.

0 Karma