Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.
Inner Search
"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1
Outer Search
'"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday'
Failing Search
"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday|map search=""ERROR" index=*tie* earliest=-21d date_hour=$date_hour$ date_wday=$date_wday$| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1"
Found the answer in this question. I need to add search inside my search.
Wrong
map search="error"
Right
map search="search error"
http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html
Found the answer in this question. I need to add search inside my search.
Wrong
map search="error"
Right
map search="search error"
http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html
Ah that was my issue as well.
Seems like pretty crappy format to have search="search blah" ... oh well - thanks.
Here is the error I get when I inspect the job
This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:
search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:
9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:
WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.