I am seeing what is for me a very odd situation. We have a scheduled search to alert on one of two specific errors that might occur in an application we are monitoring. What I am seeing in Job Inspector are the following debug messages:
DEBUG: A clause in your search will not return results. Make sure you are using 'OR' to search multiple indexes and at least one specified index exists.
DEBUG: Incompatible set of indexes specified
DEBUG: No matching index found for 'index=nameof_index'``
NOTE: The real name of the index does end with "_index".
I came across these messages only because the app owner reported that an alert did not report a time when 4 events were generated in the search timeframe. This has happened only that one time (so far) but I cannot find the cause of these debug messages.
I get that if the specified index did not really exist that the sourcetype could pull up the data. But the index does exists, both in the indexers' indexes.conf file and on the file systems as exoected. So I am at a loss as to the cause of these messages. Could it be due to the name of the index including the text "index"?
In case someone wants to know, the search generating these messages looks like this:
index="nameof_index" sourcetype="sourcetype" host="host*" (ERR_CODE1 OR ERR_CODE2)
NOTE: The names have been changed to protect the innocent. :)