Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my map search returning "No Results Found"?

motobeats
Path Finder
‎09-18-2015 08:29 AM

Can anyone help me with this map search? Both the inner and outer searches return what I expect, but when I try to combine them, I get "No Results Found". I've used Map before, so I can't understand what I am doing wrong.

Inner Search

"ERROR" index=*tie* earliest=-21d date_hour=10 date_wday=friday| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1

Outer Search

'"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday'

Failing Search

"ERROR" index=*tie* | dedup date_hour date_wday| table date_hour, date_wday|map search=""ERROR" index=*tie* earliest=-21d date_hour=$date_hour$ date_wday=$date_wday$| bucket _time span=60m|stats count by _time, date_hour,date_wday,date_mday|streamstats current=true window=5 p99(count) as trendline|tail 1"
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

motobeats
Path Finder
‎09-18-2015 09:12 AM

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

View solution in original post

Reply
Solved! Jump to solution
Solution

motobeats
Path Finder
‎09-18-2015 09:12 AM

Found the answer in this question. I need to add search inside my search.

Wrong
map search="error"

Right
map search="search error"

http://answers.splunk.com/answers/27012/whats-wrong-with-this-map-search-command.html

Reply
Solved! Jump to solution

dd_msearles
Path Finder
‎04-26-2018 06:06 PM

Ah that was my issue as well.
Seems like pretty crappy format to have search="search blah" ... oh well - thanks.

0 Karma
Reply
Solved! Jump to solution

motobeats
Path Finder
‎09-18-2015 08:47 AM

Here is the error I get when I inspect the job

This search has completed and found 2 matching events. However, the transforming commands in the highlighted portion of the following search:

search "ERROR" index=*tie* | dedup date_hour date_wday | table date_hour, date_wday | map search=ERROR index=*tie* date_hour=$date_hour$ date_wday=$date_wday$ maxsearches=10
over the time range:

9/18/15 10:46:00.000 AM – 9/18/15 11:46:06.000 AM
generated no results. Possible solutions are to:

check the syntax of the commands
verify that the fields expected by the report commands are present in the events
The following messages were returned by the search subsystem:

WARN: Unable to run query 'ERROR index=*tie* date_hour=11 date_wday=friday'.
0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...