Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my map search returning "No Results Found"?

motobeats
Path Finder
‎09-18-2015 08:29 AM

Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.

Inner Search

"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1

Outer Search

'"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday'

Failing Search

"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday|map search=""ERROR" index=*tie* earliest=-21d date_hour=$date_hour$ date_wday=$date_wday$| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1"
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

motobeats
Path Finder
‎09-18-2015 09:12 AM

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

View solution in original post

Reply
Solved! Jump to solution
Solution

motobeats
Path Finder
‎09-18-2015 09:12 AM

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

Reply
Solved! Jump to solution

dd_msearles
Path Finder
‎04-26-2018 06:06 PM

Ah that was my issue as well.
Seems like pretty crappy format to have search="search blah" ... oh well - thanks.

0 Karma
Reply
Solved! Jump to solution

motobeats
Path Finder
‎09-18-2015 08:47 AM

Here is the error I get when I inspect the job

This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:

search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:

9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:

check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:

WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...