topic Re: Why I get less events in verbose-Mode? in Splunk Enterprise

Why I get less events in verbose-Mode?

marcokrueger — Tue, 14 Mar 2017 06:55:22 GMT

Hello everybody,
I have a problem with incomplete searchresults.
When I use clever mode I get 1125 events but in verbose-mode I only get 969.
I wounder why this behaviour because verbose should be the exacter extraction, so I thought about memory-limits but cant find any Error in the search.log
Another indication for a memory-issue is, if I limit the fields to response to one, f.e. "...| fields + D_T2m |... I also get the 1125 Events.

How can I easy verify my results to know I can trust them? I cant find any Error in the log or at least a warning that would indicate missing values.

best regards
Grisuji

P.S. as a background-information, I also use an append in this search which append another kind of data, but the results I miss are from the main-search and the append give not very much events: ~2000 - not very much. When I skip the append, the results are also complete, which points to a memory-issue.

Re: Why I get less events in verbose-Mode?

niketn — Tue, 14 Mar 2017 08:22:59 GMT

With append it is matter of how many events subsearch has to parse rather than how many events it has to display. You ensure that you get only required events in your base search for both main and appended search. If you have to work only with one column have you tried appendcols instead of append?

Also if you run the two searches separately in verbose mode, do you still see issue with one or both of them?

Re: Why I get less events in verbose-Mode?

marcokrueger — Tue, 14 Mar 2017 11:23:57 GMT

Thank you, I have refactored the query so it comes without an append and it works. The only thing I miss is an message in cases of memory-issues respectivly incomplete results. It gives a very bad tast not to know all is complete.

Re: Why I get less events in verbose-Mode?

niketn — Tue, 14 Mar 2017 12:07:59 GMT

In terms of documentation what I can suggest is going to the following for choosing correct method for correlation:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation

Please accept this answer if this has helped you, or else provide your own answer and accept the same.

Re: Why I get less events in verbose-Mode?

woodcock — Tue, 14 Mar 2017 15:43:03 GMT

Do not use subsearch-based commands such as append and join.

Re: Why I get less events in verbose-Mode?

marcokrueger — Wed, 15 Mar 2017 08:07:04 GMT

Thank you, is this a general recommendation? Is the append a reason why Splunk> can't warn for incomplete results?

Re: Why I get less events in verbose-Mode?

woodcock — Wed, 15 Mar 2017 19:26:41 GMT

Yes, it is mostly silent, unless you go digging for it after the fact.