search returns valid results, but fails with Invalid search: AND AND if defined as subsearch:
1. Search works ok:
source=nbstatus requestinghost=icsl2492 User=viefhwd starttime="12/09/2014:16:44:40" endtime="12/09/2014:16:45:40" | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(StartTime) AS stime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(stime) AS starttime | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(FinishTime) AS entime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(entime) AS endtime |table requestinghost User starttime endtime
requestinghost User starttime endtime
icsl2492 viefhwd 12/09/2014:16:45:37 12/09/2014:16:54:50
2. If I define the above search as a subsearch to join with a different source, it fails:
src=license [search source=nbstatus requestinghost=icsl2492 User=viefhwd starttime="12/09/2014:16:44:40" endtime="12/09/2014:16:45:40" | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(StartTime) AS stime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(stime) AS starttime | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(FinishTime) AS entime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(entime) AS endtime |table requestinghost User starttime endtime]
Error in 'search' command: Unable to parse the search: Invalid search: AND AND.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
3. If I remove endtime only in the previous query – it works:
src=license [search source=nbstatus requestinghost=icsl2492 User=viefhwd starttime="12/09/2014:16:44:40" endtime="12/09/2014:16:45:40" | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(StartTime) AS stime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(stime) AS starttime | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(FinishTime) AS entime | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(entime) AS endtime |table requestinghost User starttime]
12,004 events (before 12/12/14 3:26:47.781 PM)
4. If I replace a subsearch from #2 with hard coded results of #1 I get the right results:
src=license requestinghost=icsl2492 User=viefhwd starttime="12/09/2014:16:45:37" endtime="12/09/2014:16:54:50" | chart count by result
result
count
DENIED 20
So what is wrong with my query #2?
Thank you,
Gregory
... View more