topic Re: Convertion of sumologic query to splunk in Knowledge Management

Why conversion of sumologic query to splunk getting different results?

strawberry28 — Fri, 10 Jun 2022 05:35:36 GMT

Sumologic Query:

and my conversion to splunk:

source="http:Emerson_P1CDN" AND status_code=200 AND referer="" | stats count by host,path,client_ip,referer,user_agent | where count >= 100 | sort - count

Do think I convert it right? because the result of splunk was different from sumologic.

Re: Convertion of sumologic query to splunk

ITWhisperer — Thu, 09 Jun 2022 08:08:10 GMT

It depends on how sumologic deals with null values. Splunk will only count the events if all the by fields (host,path,client_ip,referer,user_agent) are non-null. To test this, you could use fillnull

source="http:Emerson_P1CDN" AND status_code=200 AND referer="" | fillnull value="NULL" | stats count by host,path,client_ip,referer,user_agent | where count >= 100 | sort - count

Re: Convertion of sumologic query to splunk

strawberry28 — Thu, 09 Jun 2022 08:47:43 GMT

Thanks for answering but I'm having problem with the exact result of the query. it should be the same on sumologic. because right now our team is migrating to splunk.

Re: Convertion of sumologic query to splunk

ITWhisperer — Thu, 09 Jun 2022 08:54:34 GMT

In what way are the results different?

Re: Convertion of sumologic query to splunk

strawberry28 — Thu, 09 Jun 2022 10:07:11 GMT

They throw a different result and same with the count.

Re: Convertion of sumologic query to splunk

ITWhisperer — Thu, 09 Jun 2022 10:20:38 GMT

If you don't wish to provide some details, you will need to work out under what circumstances the results are different, how are they different in detail, does this happen all the time, can you reduce the events until the difference goes away, then increase it to find out which events are causing the difference, and what it is about those events that are treated different by Splunk and sumologic.

Re: Convertion of sumologic query to splunk

strawberry28 — Mon, 13 Jun 2022 07:09:15 GMT

I reduce it to status_code=200 then show the count of cdn 200 in total. it doubled the number in sumologic that is the first difference I notice.

Re: Convertion of sumologic query to splunk

ITWhisperer — Mon, 13 Jun 2022 07:16:56 GMT

Have a look at the events (run the search in verbose mode). Have the events been duplicated in Splunk? Have unexpected events been included?

Re: Convertion of sumologic query to splunk

strawberry28 — Mon, 13 Jun 2022 09:09:48 GMT

sorry for the confusion, what I mean is that it doubled the count result from sumologic. sample count is

status code(200) sumologic= 100 count
status code (200) splunk = 250 count

what could be the reason it doubles?

Re: Convertion of sumologic query to splunk

ITWhisperer — Mon, 13 Jun 2022 09:21:16 GMT

Timeframes could be different. Raw events could be different / include events from different sources. Field extraction could be different resulting in additional events being found.

You could try reducing your timeframes for both systems so you have a manageable number of results (100/250 sounds reasonably manageable but you could try for fewer), and compare which events are included in the splunk data set which aren't in the sumologic data set (and vice versa if appropriate).

Re: Convertion of sumologic query to splunk

strawberry28 — Mon, 13 Jun 2022 09:25:19 GMT

they just have same timeframe that is why I'm wondering why in splunk has more than count. when it should be almost same count.

Re: Convertion of sumologic query to splunk

ITWhisperer — Mon, 13 Jun 2022 09:42:15 GMT

Are the differences restricted to particular hosts, paths, client_ips, referers, user_agents or across the board.

What about different times of the day, days of the week, etc., are the differences more pronounced at different times?

There does not appear to be anything amiss with the search you are doing, which means it is probably in the data being used by splunk compared to the data being used by sumologic.