https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393597#M114454 <P>Splunk JIRA SPL-153269</P> <P>A configuration added somewhere between Splunk Enterprise versions 6.4.? and 7.0.2 introduced an issue where using a macro with several lookups against the same lookup table results in only a single match attempt with subsequent matches against the lookup table being skipped. </P> <P>Make the following configuration change to <CODE>limits.conf</CODE>:<BR /> <CODE>[search_optimization::projection_elimination]<BR /> cmds_black_list = lookup</CODE></P> <P>There should not be a significant performance hit since this is just reverting this configuration to that in a previous version of Splunk. </P> <P>Fix has been tested and confirmed in my environment, under these specific test conditions. I know the problem didn't exist under some version of 6.x and started in some version of 7.x, I just don't recall which upgrade specifically broke the macro/lookups. I am not sure if it resolves other similar behavior observed under different conditions. </P> Mon, 06 Aug 2018 21:07:28 GMT marycordova 2018-08-06T21:07:28Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393596#M114453 <P>Problem:</P> <OL> <LI>search: <CODE>1. Search: index=win* EventCode=4624 |</CODE>userlookup(Account_Name)<CODE>| table Account_Name name sam eid mail | rename Account_Name as user | search eid!=NONE_FOUND | dedup user name sam eid mail</CODE></LI> <LI>static time range for explicit comparison: start 8/6/18 13:06:50.000; end 8/6/18 13:21:50.000</LI> <LI>fast 13 results; verbose 1257 results</LI> <LI>userlookup macro takes in a single attribute and attempts to match it against multiple columns in lookup table: <CODE>eval $attribute$=lower($attribute$) | lookup ad_users.csv sam as $attribute$ OUTPUTNEW name eid sam upn created pwd_set mail tel_ext manager division job department region country | lookup ad_users.csv mail as $attribute$ OUTPUTNEW name eid sam upn created pwd_set mail tel_ext manager division job department region country | lookup ad_users.csv upn as $attribute$ OUTPUTNEW name eid sam upn created pwd_set mail tel_ext manager division job department region country | eval $attribute$=upper($attribute$) | lookup ad_users.csv eid as $attribute$ OUTPUTNEW name eid sam upn created pwd_set mail tel_ext manager division job department region country | eval $attribute$=lower($attribute$) | eval eid=upper(eid)</CODE></LI> </OL> Tue, 29 Sep 2020 20:48:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393596#M114453 marycordova 2020-09-29T20:48:11Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393597#M114454 <P>Splunk JIRA SPL-153269</P> <P>A configuration added somewhere between Splunk Enterprise versions 6.4.? and 7.0.2 introduced an issue where using a macro with several lookups against the same lookup table results in only a single match attempt with subsequent matches against the lookup table being skipped. </P> <P>Make the following configuration change to <CODE>limits.conf</CODE>:<BR /> <CODE>[search_optimization::projection_elimination]<BR /> cmds_black_list = lookup</CODE></P> <P>There should not be a significant performance hit since this is just reverting this configuration to that in a previous version of Splunk. </P> <P>Fix has been tested and confirmed in my environment, under these specific test conditions. I know the problem didn't exist under some version of 6.x and started in some version of 7.x, I just don't recall which upgrade specifically broke the macro/lookups. I am not sure if it resolves other similar behavior observed under different conditions. </P> Mon, 06 Aug 2018 21:07:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393597#M114454 marycordova 2018-08-06T21:07:28Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393598#M114455 <P>similar issues on answers: </P> <OL> <LI><A href="https://answers.splunk.com/answers/658420/verbose-mode-returns-results-as-expect-but-not-fas.html">https://answers.splunk.com/answers/658420/verbose-mode-returns-results-as-expect-but-not-fas.html</A></LI> <LI><A href="https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html">https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html</A></LI> </OL> <P>it would be interesting to see if testing shows this resolves them<BR /> it's possible that this specific config doesn't but another option in the stanza would</P> Mon, 06 Aug 2018 21:09:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393598#M114455 marycordova 2018-08-06T21:09:48Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393599#M114456 <P>We have the same problem without using a macro in Splunk 6.6.5. The search of type<BR /> ... | lookup table field1 OUTPUT newfield | lookup table field2 OUTPUTNEW newfield<BR /> is (in fast mode) "optimized" to<BR /> ... | lookup table field2 OUTPUTNEW newfield</P> <P>Just wanted to confirm that your limits.conf entry solves the problem. Thanks for that!</P> Thu, 27 Jun 2019 11:51:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/393599#M114456 drfk 2019-06-27T11:51:33Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/568340#M198046 <P><SPAN>Similar setup to drfk, with no macro but 2 lookups.&nbsp; Splunk 8.2.2.&nbsp; Verbose mode gave results, but Fast/Smart modes just resulted in 0's.&nbsp; Changing the limits.conf file fixed the problem.&nbsp; Thank you!</SPAN></P> Fri, 24 Sep 2021 07:58:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/568340#M198046 m2oswald 2021-09-24T07:58:06Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/597938#M208214 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/159620">@marycordova</a>&nbsp;,</P><P>I have a distributed environment and I put this configuration in every SH at path /splunk/etc/system/local, but doesn't work.<BR /><BR />Can someone help me to find out the correct solution?</P><P>&nbsp;</P><P>Thank to all.</P> Mon, 16 May 2022 12:30:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/597938#M208214 Robertoing 2022-05-16T12:30:03Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/597991#M208229 <P>i know this is kind of a lame response but,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231488">@Robertoing</a>&nbsp;, are you able to upgrade to version 8?</P> Mon, 16 May 2022 19:29:27 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/597991#M208229 marycordova 2022-05-16T19:29:27Z https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/695970#M236584 <P>Facing the same issue in Splunk Enterprise version&nbsp; - 8.2.6.1&nbsp;</P><P>&nbsp;</P><P>Any fix? workaround? please share !!</P> Mon, 12 Aug 2024 08:15:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-search-in-fast-mode-return-different-results-than/m-p/695970#M236584 rajan_kumar_rai 2024-08-12T08:15:30Z