I have a saved search that started to fail like so....
ERROR SavedSplunker - savedsearch_id="nobody;search;Powered On VMs Without UF", message="Error in 'where' command: The 'not' function is unsupported or undefined.". No actions executed
I can open the saved search and run it without any errors and it was working fine every Monday morning for months, but has recently started to fail when scheduled.
Any thoughts?
| inputlookup VMs.csv | rename "Summary|Guest Operating System|Guest OS Full Name" as OS | search OS="Microsoft Windows*" | eval Name=lower(Name) | fields Name
| where NOT [| metadata index=perfmon type=hosts earliest=-1d@d latest=now
| where lastTime > relative_time(now(), "-1d@d")
| rex field=host "(?[^\.]+)"
| eval Name=lower(Name) | fields Name]
| sort Name
↧