Hello
I am using Splunk to analyse results from Qualys Vulnerability Scanning
I have noticed that one of my searches is not returning any results :
> index="qualys" earliest=-0mon@mon |> where host_ip="10.10.10.10"
I know there should be results for this specific search but the search almost instantly returns the "No results found" message with no errors or warning displayed
However, during my investigation, I noticed that if I add any subsearch to the original search, the search work as intended
example:> index="qualys" earliest=-0mon@mon |> where host_ip="10.10.10.10" | append > [ search index=qualys > | tail 1]
This search should append only 1 line after the original search, but it now return 36 results and takes more than 5 minutes (35 results are what we expect from the original search)
Anyone encountered this issue?
Regards
↧