Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.
"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1
This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:
search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:
9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:
WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.