https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336425#M6085 <P>Could anyone please provide the difference between addinfo and search<BR /> Please</P> Sun, 15 Apr 2018 17:18:30 GMT logloganathan 2018-04-15T17:18:30Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336425#M6085 <P>Could anyone please provide the difference between addinfo and search<BR /> Please</P> Sun, 15 Apr 2018 17:18:30 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336425#M6085 logloganathan 2018-04-15T17:18:30Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336426#M6086 <P><CODE>| addinfo</CODE> is used to add search meatdata to the search results where <CODE>search</CODE> is used to search events that have been indexed. <CODE>addinfo</CODE> has special use cases such as ITSI where <CODE>search</CODE> is much more common. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addinfo">https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addinfo</A></P> Sun, 15 Apr 2018 18:18:10 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336426#M6086 skoelpin 2018-04-15T18:18:10Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336427#M6087 <P>These are very different commands and I can't see where the confusion is.</P> <P>The search command has two uses. If it is the first command in a search request, it pulls data from the indexer that matches the terms you give it. In this case the word search is optional. If it is a subsequent command, it is a filter and any events or rows that do not match the terms get dropped.</P> <P>Addinfo does not add new events or filter existing ones. It adds 4 fields about the search to every event. ( info_min_time, info_max_time, info_sid and info_search_time) This is normally used as a step in summary indexing.<BR /> See <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo" target="_blank">docs on addinfo</A> for more detail or <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing" target="_blank">this explanation of summary indexing </A></P> Tue, 29 Sep 2020 19:02:28 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336427#M6087 bmunson_splunk 2020-09-29T19:02:28Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336428#M6088 <P>@logloganathan could you provide the reason for finding the difference between <CODE>addinfo</CODE> and <CODE>search</CODE>?</P> <P>As stated in the answers below Splunk Documentation would be good place to read about and try out addinfo command.</P> <P>Whenever you run a search in Search bar it runs <CODE>search</CODE> command For example if you run the following query: </P> <PRE><CODE> index=_internal </CODE></PRE> <P>And then check the Job Inspector and open the Search Job Properties you would notice the search property as </P> <PRE><CODE> search index=_internal </CODE></PRE> <P>For Sub queries <CODE>search</CODE> needs to be mentioned explicitly check out examples of <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append">append</A>, <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols">appendcols</A> and <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">join</A>. <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Typesofcommands#Generating">Generating commands</A> do not start with search rather they start with a pipe.</P> Sun, 15 Apr 2018 22:06:52 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336428#M6088 niketn 2018-04-15T22:06:52Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336429#M6089 <P>All <CODE>| addinfo</CODE> does is tell you some basic things about your search job (timepicker settings, job ID, and time that your search took); it does not change your search at all, it just adds 5 fields to every event. Adding <CODE>| search</CODE> will allow you to further filter your results at that point down to a more select set; it most definitely does change your search. These commands really have no commonality of any kind.</P> Sun, 15 Apr 2018 22:59:21 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336429#M6089 woodcock 2018-04-15T22:59:21Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336430#M6090 <P>@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.</P> <P>Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.</P> <P>Refer to community guidelines (ironically again on Splunk Docs :)): <A href="https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines">https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines</A></P> <P>I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!</P> Mon, 16 Apr 2018 14:25:15 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336430#M6090 niketn 2018-04-16T14:25:15Z https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336431#M6091 <P>1)I just reported your comment and i never down-voted.<BR /> 2) I want to get difference between addinfo and search( when i teach the Splunk query and i got this question from my colleagues) here i just struck.There is nothing available for difference between addinfo and search<BR /> 3)you have not provided answer that i was looking for but you are asking why you need?</P> <P>you should give respect for all the questions posted in the community<BR /> There are also who ask questions like "How to start the Splunk"<BR /> This is one example and i can say lot of new example<BR /> <A href="https://answers.splunk.com/answers/462710/are-there-any-splunk-training-materials-for-new-us.html">https://answers.splunk.com/answers/462710/are-there-any-splunk-training-materials-for-new-us.html</A></P> <P>Also the document that you mentioning say "we can downvote"</P> <P><A href="https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines">https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines</A></P> <P>"Be honest. Above all, be honest. If you see misinformation, vote it down. Insert comments indicating what, specifically, is wrong. Even better -- edit and improve the information! Provide stronger, faster, superior answers of your own!"</P> <P>Please give respect for me. Thanks for providing the opportunity to share my opinion </P> Mon, 16 Apr 2018 15:56:17 GMT https://community.splunk.com/t5/Knowledge-Management/what-is-the-difference-between-addinfo-and-search/m-p/336431#M6091 logloganathan 2018-04-16T15:56:17Z