Splunk Search

Why is my map search returning "No Results Found"?

motobeats
Path Finder

Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.

Inner Search

"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1

Outer Search

'"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday'

Failing Search

"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday|map search=""ERROR" index=*tie* earliest=-21d date_hour=$date_hour$ date_wday=$date_wday$| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1"
Tags (2)
1 Solution

motobeats
Path Finder

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

View solution in original post

motobeats
Path Finder

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

View solution in original post

dd_msearles
Path Finder

Ah that was my issue as well.
Seems like pretty crappy format to have search="search blah" ... oh well - thanks.

0 Karma

motobeats
Path Finder

Here is the error I get when I inspect the job

This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:

search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:

9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:

check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:

WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!