topic Re: Longer Period of Time showing Fewer Results?? in Splunk Search

Longer Period of Time showing Fewer Results??

essklau — Mon, 02 Jun 2014 18:04:54 GMT

Hi,

I have a search which returns 37 results for one date (May 30), but 0 results for May 30-Jun2. I am failing to see in the search anything that should be using time or cancelling results from a longer search period.

The search is:

eventtype=mssql-audit class_type=U | lookup dm_audit_actions action_id OUTPUT name
| join host, session_id, server_principal_id [ search eventtype=mssql-audit class_type="*" succeeded="true" src_ip="*" | eval src_ip=if(src_ip=="local machine",host,src_ip) | stats values(src_ip) as src_ip by host,session_id,server_principal_id ]

So why does a search give me results for a period of time, but no results for "period of time" + a day?

Any suggestions would be appreciated.

Re: Longer Period of Time showing Fewer Results??

hagjos43 — Mon, 02 Jun 2014 18:36:53 GMT

try this to help diagnose your problem.

Apply a _time bucket within your query and do a |stats count by _time

| bucket _time span=24h | stats count by _time

Re: Longer Period of Time showing Fewer Results??

essklau — Mon, 02 Jun 2014 19:31:29 GMT

I switched the span to 1h. There are events in the one day search that break down as expected by the hour. The one day + more days search still returns zero results.

Re: Longer Period of Time showing Fewer Results??

somesoni2 — Mon, 02 Jun 2014 19:55:53 GMT

Could you check if individual searches (main search and subsearch) are returning data, for the period May30-Jun02, independently? and have matching events so that join can be applied?