topic Why is the result number not matching? in Splunk Search

Why is the result number not matching?

rakeshyv0807 — Wed, 09 May 2018 20:15:22 GMT

Hi - I have a query where it results in total number of results of number of people logged into an application and I am displaying results for the last 24 hours. Below is the query:

sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+

Here the "PartnerPortal" is the application name which is tied to the field "connectionid". But if I change the above query to something like following:

sourcetype="pfad" **PartnerPortal** AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid=* | dedup subject  | stats count(subject) ------------> resulted total count of 2300+

I have tried the following query as well but resulting 2300+ results:

sourcetype="pfaduit" connectionid = PartnerPortal tid success NOT AUTHN_ATTEMPT NOT SLO NOT OIDC adapterid= * | dedup subject | stats count(subject)

Shouldn't all the above queries result the same number?

Please advice.

Thanks.

Re: Why is the result number not matching?

aholzer — Wed, 09 May 2018 20:46:38 GMT

First thing I'll say is that running PartnerPortal is very different from running connectionid = PartnerPortal, which in turn is different from running connectionid = PartnerPortal* in your base search.

For example if you have these three events:
event 1 = time1 there was an error in PartnerPortal. adapterid=value1.a subject=value2.a
event 2 = time2 connectionid=PartnerPortal adapterid=value1.b subject=value2.b
event 3 = time3 connectionid=PartnerPortalConfig adapterid=value1.c subject=value2.c

Running just a string search for "PartnerPortal" in your base search, you'll get all three events above returned.
Running connectionid = PartnerPortal* in your base search will return event 2 and event 3 but not event 1, since event 1 doesn't even have the field connectionid in it
Running connectionid = PartnerPortal in your base search will return only event 2, since the value of connectionid in event 3 is actually PartnerPortalConfig

Hope this helps

Re: Why is the result number not matching?

xpac — Wed, 09 May 2018 20:50:22 GMT

Also, in the first search adapterid= is missing the *

Re: Why is the result number not matching?

rakeshyv0807 — Wed, 09 May 2018 21:18:38 GMT

Thanks, for the reply.

sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+

sourcetype="pfad" connectionid = PartnerPortal AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | stats count(subject) -----> resulted total count of 2300+

Doesn't the above two queries return the same number of results?

Thanks.

Re: Why is the result number not matching?

xpac — Wed, 09 May 2018 21:22:52 GMT

Those are two different sourcetypes?

Re: Why is the result number not matching?

rakeshyv0807 — Wed, 09 May 2018 21:25:34 GMT

Just updated my reply. Please check and let me know. Thanks.

Re: Why is the result number not matching?

niketn — Wed, 09 May 2018 21:42:26 GMT

Instead of | dedup subject | stats count(subject) can you try | stats dc(subject)?

Also you must understand that NOT is not same as !=, trying to find NOT will also return events where keywords after NOT are not present. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#6._Using_the_NOT_or_.21.3D_comparisons

Also try turning off Search Optimization to test the results of the two queries as per answer: https://answers.splunk.com/answers/589037/search-results-are-different.html

Re: Why is the result number not matching?

xpac — Wed, 09 May 2018 21:50:04 GMT

If you dedup and filter on Partnerportal afterwards, you might have already thrown away events that might have fit the Partnerportal criteria. In the second search, you're doing it before dedup, therefore resulting in more events.

Re: Why is the result number not matching?

woodcock — Thu, 10 May 2018 04:49:01 GMT

This makes sense to me. Imagine that you have 2 events like this:

subject=foo connectionid=poo
subject=foo connectionid=PartnerPortal