×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Lavani
Observer
Member since: ‎06-03-2023
‎06-12-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-03-2023
Activity Feed
View All

Why does subsearch always have zero results?

by in Splunk Search
‎06-12-2023 04:19 PM
‎06-12-2023 04:19 PM
Hello Everyone. I have a search with a subsearch that's correctly running on a test environment (Splunk 8.2.9). Now I copied it on a production environment (Splunk 82.9), but it doesn't run: the subsearch has always zero as result.   | rest /services/authorization/roles/ | search title="logmon_app*" | table title | rename title as role | join type=left role max=0 [| rest /services/authentication/users | table roles title | rename title as userName,roles as role | mvexpand role | search role="logmon_app*" ] | stats values(userName) as username by role | eval rolepresent="yes" | outputlookup logmon_roles_users.csv override_if_empty=false,     Thank you  ... View more
Labels

Why is this search returning the wrong result?

by in Splunk Search
‎06-03-2023 02:35 PM
‎06-03-2023 02:35 PM
The search query it showing only the roles for currently logged-in user. But this is not what we are looking for, we need list of users with logmon_app* roles. | rest /services/authorization/roles/  | search title="logmon_app*" | table title  | rename title as roles | join type=left role max=0      [| rest /services/authentication/users      | table roles title      | rename title as userName      | mvexpand roles | search roles="logmon_app*" ]  | stats values(userName) as username by roles |eval rolepresent="yes"   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-12-2023 07:49 PM