Splunk Search

Why is my map search returning "No Results Found"?

motobeats
Path Finder

Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.

Inner Search

"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1

Outer Search

'"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday'

Failing Search

"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday|map search=""ERROR" index=*tie* earliest=-21d date_hour=$date_hour$ date_wday=$date_wday$| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1"
Tags (2)
1 Solution

motobeats
Path Finder

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

View solution in original post

motobeats
Path Finder

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

dd_msearles
Path Finder

Ah that was my issue as well.
Seems like pretty crappy format to have search="search blah" ... oh well - thanks.

0 Karma

motobeats
Path Finder

Here is the error I get when I inspect the job

This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:

search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:

9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:

check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:

WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...