Lack of subsearch results causing query to error I have a search that looks at historical data (using timewrap) and then compares it to the current day's data: index=os* result=failed | timechart count span=15m | timewrap 1day | tail 1 | fields 28days_before 21days_before 14days_before 7days_before | transpose column_name=day | rename "row 1" AS count | head 4 | stats avg(count) as average stdev(count) as standard_deviation max(count) as hist_max | eval today_fails=[ search index=os* result=failed earliest=-30m | timechart span=15m count | tail 1 | return $count ] | eval window_high=(average + standard_deviation) | where today_fails > window_high I'll break down the search now: Looks for authentication failure events Puts the data into a timechart using 15 minute intervals Uses timewrap to compare data day-to-day Removes all but latest 15 minutes of data We want to compare today's data to historical data from the same day of the week (Monday to Monday, Tuesday to Tuesday, etc.) This filters out the unnecessary data. Flips the table in anticipation of performing some calculations on the data Renames the field Filters out more unnecessary data from the transposed table Calculates the average, standard deviation, and historical maximum Creates a subsearch to pull in today's data Looks for authentication failure events over the past 30 minutes Puts the data into a timechart using 15 minute intervals Strips out all but the latest 15 minutes Returns the number of events found in the subsearch Close subsearch Sets the maximum threshold for alerting purposes Compares today's data against the maximum threshold returning results if today's is greater. The search pulls the last 30 days of events and puts them in a timechart. It then uses the timewrap command to compare data day-to-day. Since we only want to look at historical data from the same day of the week, it filters out everything else. Everything is fine so long as the subsearch can return actual events. However, there are plenty of instances where no authentication failures occurred in a given window. When that happens, I get the following error upon running the search: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression The search job has failed due to an error. You may be able view the job in the Job Inspector. My question is, how can I adjust my subsearch so that it always returns a value? Either 0 or if events were found, whatever that number is. ... View more

Running v1.0 of the app in a distributed environment (Splunk Enterprise 6.5.1) and getting the following error when trying to run the Significant Increase in Interactively Logged On Users (Assistant: Detect Spikes) example with live data. I have Windows Security data indexed and performing the same query in the Search & Reporting app does return results. Error: [splunk-index1] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.; [splunk-index2] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info. ... View more