Splunk search no subsearch

0
votes

I have events something like:

{
    taskId:5a6d
    category:created
    when:1517131461
    ...
}

{
    taskId:5a6d
    category:started
    when:1517131609
    ...
}

{
    taskId:5a6d
    category:ended
    when:1517134657
    ...
}

For each task (task id is same), we have events when it is created / started / ended.

I'd like to search if there is any task never be processed (task is created but not started). Here is my search statement:

index=XXX sourcetype=XXX category=created | search NOT [search index=XXX sourcetype=XXX category=started | fields taskId]

This statement works correctly if the time range is less than 48 hours. If the time range is set to, for example, latest 7 days, the above search statement works incorrectly. It returns a lot of tasks (category=created) which means these tasks are never processed. Actually, they are processed, I can search the events (category=started) by taskId.

I have no idea what's wrong with it. it seems subsearch doesn't return correct results in the range of main search.

1
splunksplunk-query

1 Answers

1
votes

This will be hard to debug without seeing your exact data.

To make it simpler, you can try something like this to do everything with one search:

index=XXX sourcetype=XXX category=created 
| eventstats values(category) as categories by taskId
| search categories = created NOT categories = started