Hello
I am using Splunk to analyze results from Qualys Vulnerability Scanning
I have noticed that one of my searches is not returning any results :
index="qualys" earliest=-0mon@mon |
where host_ip="10.10.10.10"
I know there should be results for this specific search but the search almost instantly returns the *"No results found"* message with no errors or warning displayed
However, during my investigation, I noticed that if I add any subsearch to the original search, the search work as intended.
example:
index="qualys" earliest=-0mon@mon |
where host_ip="10.10.10.10" | append
[ search index=qualys
| tail 1]
This search should append only 1 line after the original search, but it now returns 36 results and takes more than 5 minutes (35 results are what we expect from the original search).
Did anyone encounter this issue?
Regards
↧