When i run this query it seems to run just fine as an adhoc search but when i schedule it, it throws the following error [subsearch]: [subsearch]: [SERVER1] Search process did not exit cleanly, exi...
See more...
When i run this query it seems to run just fine as an adhoc search but when i schedule it, it throws the following error [subsearch]: [subsearch]: [SERVER1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info. Here's the query. The issue is definitely not space on the drive, there's plenty of space. Also, if I hard code subsearch search index=idx2 earliest=-30d@d latest=now, the scheduled search will work fine but then i would have to add some additional lines of SPL to ensure we are using only the latest pull to avoid duplicate data which takes a little longer to run as well. index=myindex sourcetype="mysource1"
[| metadata index=myindex type=sourcetypes
| search sourcetype="mysource1"
| eval earliest=relative_time(lastTime,"-1h@h")
| table earliest]
| table id1 field1 field2 field3
| join type=left field3
[ search index=idx2
[| metadata index=idx2 type=sourcetypes
| search sourcetype="source2"
| eval earliest=relative_time(lastTime,"-1h@h")
| table earliest]
| rename id as field3
| table field3,f4,f5,f6,f7]