topic Re: Search command filtering not providing accurate results in Reporting

Search command filtering not providing accurate results

Mary666 — Fri, 05 Mar 2021 02:10:10 GMT

Hello Splunk Community,

I have two indexes: index=vc_xyz_idx and index=xp_zzz_summary_idx and I am checking to see if a value named docNum is in the index=xp_zzz_summary_idx. The docNum should be in both indexes, but I am only interested in the docNum missing from index=xp_zzz_summary_idx . I have created two eval's and renamed the indexes, since they both have the same field name - index. The issue is that I am getting false negatives. I have put in
| search Missing_in_Blue="No" because I only want the docNum that is missing in index=xp_zzz_summary_idx, but I get docNum that is actually in the index=xp_zzz_summary_idx. Can someone please help?

(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx") | eval Blue=case(index=index="xp_zzz_summary_idx", docNum), Missing_in_Blue=if(docNum==xp_zzz_summary_idx, "Yes", "No") | search Missing_in_Blue="No" | stats values(Missing_in_Blue) as Missing_in_Blue by docNum

Re: Search command filtering not providing accurate results

scelikok — Fri, 05 Mar 2021 05:33:07 GMT

Hi @Mary666,

Please try using below search;

(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx") | stats dc(index) as count values(index) as indexes by docNum | where count=1 AND indexes!="xp_zzz_summary_idx"

Re: Search command filtering not providing accurate results

Mary666 — Fri, 05 Mar 2021 07:29:14 GMT

Thanks! this seems to have worked 🙂

Question why use dc and name as count - just curious about your thought process here:

dc(index) as count

Re: Search command filtering not providing accurate results

scelikok — Fri, 05 Mar 2021 07:39:03 GMT

Nice to know it helped you 🙂

Since there are many events count would be unpredicted number, that is why I used dc (distinct count) which will result 1 or 2 for sure. I just used count as a name to use in further commands easier.

Re: Search command filtering not providing accurate results

Mary666 — Fri, 05 Mar 2021 07:49:20 GMT

Mainly just want to know why you used dc instead of values...

Re: Search command filtering not providing accurate results

Mary666 — Fri, 05 Mar 2021 07:55:24 GMT

Yes, this is exactly what I was struggling with - the count issue, since the count could be 1 or 2 for the index and I only needed those where the count=1 and I see how dc helped with that. Thanks for clarifying this for me.