All Apps and Add-ons

Why does my search "tag=x NOT tag=y" returns "No results found"?

coleman07
Path Finder

I am very confused as to why I am getting "No results found" when searching for events matching tags=x but has no properties which would assign tag y to it. The reason for this search would be to weed out events with both tags but I would have thought if tag y is orthogonal to tag x, all events for tag x should appear. Very confused.

I am working with the Splunk Windows add-on and here is a real search that boggles my mind. First, let me define two tags used in the add-on:

lock eventtype=windows_account_lockout
port eventtype=script_listeningports,eventtype=windows_firewall_port_listening

These two tags look very orthogonal. None of the lock events should match the port tag and vice versa.

When I run the following search:

tag=port NOT tag=lock

I get back events with tag port included. If I remove the NOT statement, nothing changes in terms of tags.

Flip the search like so:

tag=lock NOT tag=port

It comes back stating "No results found" yet when I look at the different tags associated with just the search:

tag=lock

none of the tags include port so the NOT part shouldn't exclude any data. What is going on in this situation? Why the results I am seeing? I was in the process of implementing an app written by Splunk which does precisely a search like this and it is causing the dashboard to fail.

woodcock
Esteemed Legend

If this is a problem, it has to do with using eventtypes and as such, I suspect that it only is a problem with eventtypes that use wildcards. Will you list out your eventtypes?

v6 works fine when using tags for index-time extracted field KVPs for tags.

0 Karma

coleman07
Path Finder

I looked at the job inspector and the LISP code produced by it. The following LISP code corresponds to the search: "tag=port NOT tag=lock":
[AND [OR sourcetype::script:listeningports [AND sourcetype:::Security [OR 4957 861 source::]]][OR[NOT source::][NOT sourcetype:::security]]]

Whereas the search for "tag=lock NOT tag=port" results in this LISP code:
[AND sourcetype::*:security [NOT sourcetype::script:listeningport][OR 4740 644 source::*][OR[NOT source::][NOT sourcetype:::security]]]

Because the OR in the first code statement short circuits the NOT statements, it appears this is why you get events from that search. If I am reading the LISP code correctly for the second search, it appears to boil down to [AND sourcetype:::Security [NOT sourcetype:::Security]] which I assume would produce no results and this seems like a bug in the compiler for creating the search. Am I correct?

0 Karma

bgaignon
Path Finder

Hi,

Can you confirm that:

  • search tag=port OK
  • search tag=lock OK
  • search tag=port NOT tag=lock OK
  • search tag=lock NOT tag=port NOT OK

That doesn't make sense. Can you share the complete search ? Do you make some filters before ?

0 Karma

coleman07
Path Finder

I did confirm it while I wrote the question. I wanted to be sure that both the lock tag and port tag produced data. I am not clear what you mean by complete search. The two lines above are the complete search.

0 Karma

joebensimo
Path Finder

I have this same problem with v6.0. It appears that NOT does not work with tags. 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...