topic Using " | reverse" in the command line returns duplicate results? in Splunk Search

Using " | reverse" in the command line returns duplicate results?

rbbelen — Wed, 06 Oct 2010 21:09:45 GMT

running a this query: splunk search "0e47015c-052f-4235-a25c-cbf3662371ee", returns this...

[10/5/10 8:45:01:521 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: BCC not found

[10/5/10 8:45:01:506 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: CC not found

however, running this query: splunk search "0e47015c-052f-4235-a25c-cbf3662371ee | reverse", returns this...

[10/5/10 8:45:01:506 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: CC not found

[10/5/10 8:45:01:521 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: BCC not found

[10/5/10 8:45:01:506 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: CC not found

[10/5/10 8:45:01:521 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: BCC not found

[10/5/10 8:45:01:506 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: CC not found

[10/5/10 8:45:01:521 CDT] 0000001f CommonRules E 0e47015c-052f-4235-a25c-cbf3662371ee -> Recipient with typeCode: BCC not found

why are duplicate results being returned? dedup doesn't help either.... thanks.

Re: Using " | reverse" in the command line returns duplicate results?

ftk — Wed, 06 Oct 2010 22:23:14 GMT

This is odd. What version are you running? You may want to open a support ticket for this.

You can work around this issue by using | sort - _time instead of | reverse as such:

0e47015c-052f-4235-a25c-cbf3662371ee | sort - _time

Re: Using " | reverse" in the command line returns duplicate results?

sdevadas — Sun, 31 Oct 2010 06:58:59 GMT

This is a problem. We almost had a production issue due to this:

Enterprise support Case Number 50333 Windows 2003 R2 Splunk 4.1.5

I didnt get much help from support - but thanks to this post, I was able to remove piping to reverse and find a way to get data across to our customer (which was part of a job which kicks off the Splunk command line, and then scrubs the data before presenting it to the customer system).

BTW this might be a data driven thing - since it was a problem only the production system, while the CLI command ran fine on the QA system.

Re: Using " | reverse" in the command line returns duplicate results?

Stephen_Sorkin — Sun, 31 Oct 2010 09:36:26 GMT

This is just a bug with "| reverse" from the command line because it tries to preview the output. You can disable preview with "-preview 0" from the command line.

Re: Using " | reverse" in the command line returns duplicate results?

sdevadas — Sun, 31 Oct 2010 23:15:08 GMT

I figured out that it is just a bug in the reverse command - but it took me a couple of hours of my Friday evening after the team reported that 'Splunk is returning results incorrectly only in production'. After removing the reverse, the team was able to complete the release without having to introduce any code to remove duplicates at the last minute.

The problem was that the bug did not show up in the CLI in the QA system or on the GUI in production, and did so only when we deployed the CLI based job to production, which was a problem since the team doing the release kept getting several records which the customer thought was some bug on our side. So my remark that it probably was a data-driven bug.

I see now that it is known bug: http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues

Will disable the preview output if we use reverse in the future.

Thanks.