Solved: order of sub searches changed when using saved sea...

mataharry · ‎12-03-2010

in 4.1.6 On the UI, I can run a search with a sub search in the condition.

index="_internal" source="log" OR [ search index=_internal source="etrics" | head 2 |table source ] | table source

But when I save it and call it from the "saved search" menu. Or that I type it on the summary page, on the result page, all got wrong because the order changed.

the [ search ...] block is now at the beginning of the line

[ search index=_internal source="etrics" | head 2 |table source ] index="_internal" source="log" OR | table source

Genti · ‎12-05-2010

This was brought to support's attention last week. It's an intentions issue and this behavior is already fixed on 4.2
Perhaps it will also be fixed in the next maintenance release, you could try creating a case with support so that your issue gets logged as well.

Cheers

View solution in original post

Genti · ‎12-05-2010

This was brought to support's attention last week. It's an intentions issue and this behavior is already fixed on 4.2
Perhaps it will also be fixed in the next maintenance release, you could try creating a case with support so that your issue gets logged as well.

Cheers

mataharry · ‎07-09-2012

thanks Genti Sama.

order of sub searches changed when using saved search or the summary page

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms