https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206275#M60024 <P>Hi folks,</P> <P>I'm experiencing a strange behavior on one of my splunk real-time postprocess dashboards. The numbers shown are significantly smaller as when I run the same search directly.</P> <P>Code for the dashboard:</P> <PRE><CODE>&lt;search id="allcount"&gt; &lt;query&gt;sourcetype=mgw_live | fields host,receiver,http_status&lt;/query&gt; &lt;earliest&gt;rt-60m&lt;/earliest&gt; &lt;latest&gt;rt&lt;/latest&gt; &lt;/search&gt; &lt;single&gt; &lt;title&gt;PRD2&lt;/title&gt; &lt;search base="allcount"&gt; &lt;query&gt;search host=prd2 | stats count&lt;/query&gt; &lt;/search&gt; &lt;option name="underLabel"&gt;Datagramme&lt;/option&gt; &lt;option name="field"&gt;count&lt;/option&gt; &lt;option name="linkView"&gt;search&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;/single&gt; </CODE></PRE> <P>Dashboard is showing a count of about 8000 to 9000 events.</P> <P>If I run the same search directly</P> <PRE><CODE>sourcetype=mgw_live | fields host,receiver,http_status | search host=prd2 | stats count </CODE></PRE> <P>I'm getting about 67.500 results which is much more likely, if I compare it to the source file.</P> <P>What could be the reason for this?</P> Mon, 07 Sep 2015 14:14:46 GMT DennisMohn 2015-09-07T14:14:46Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206275#M60024 <P>Hi folks,</P> <P>I'm experiencing a strange behavior on one of my splunk real-time postprocess dashboards. The numbers shown are significantly smaller as when I run the same search directly.</P> <P>Code for the dashboard:</P> <PRE><CODE>&lt;search id="allcount"&gt; &lt;query&gt;sourcetype=mgw_live | fields host,receiver,http_status&lt;/query&gt; &lt;earliest&gt;rt-60m&lt;/earliest&gt; &lt;latest&gt;rt&lt;/latest&gt; &lt;/search&gt; &lt;single&gt; &lt;title&gt;PRD2&lt;/title&gt; &lt;search base="allcount"&gt; &lt;query&gt;search host=prd2 | stats count&lt;/query&gt; &lt;/search&gt; &lt;option name="underLabel"&gt;Datagramme&lt;/option&gt; &lt;option name="field"&gt;count&lt;/option&gt; &lt;option name="linkView"&gt;search&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;/single&gt; </CODE></PRE> <P>Dashboard is showing a count of about 8000 to 9000 events.</P> <P>If I run the same search directly</P> <PRE><CODE>sourcetype=mgw_live | fields host,receiver,http_status | search host=prd2 | stats count </CODE></PRE> <P>I'm getting about 67.500 results which is much more likely, if I compare it to the source file.</P> <P>What could be the reason for this?</P> Mon, 07 Sep 2015 14:14:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206275#M60024 DennisMohn 2015-09-07T14:14:46Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206276#M60025 <P>Did you look at to check the conditions in 「Search job inspector」?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/631iF964F4DDACB413AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is there a difference in the 「Search job properties」？<BR /> ex.earliestTime　OR　latestTime</P> Tue, 08 Sep 2015 00:39:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206276#M60025 HiroshiSatoh 2015-09-08T00:39:38Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206277#M60026 <P>Dashboard job:<BR /> earliestTime: 2015-09-09T09:06:46.000+02:00<BR /> latestTime: 2015-09-09T10:06:46.000+02:00</P> <P>Free Search Job:<BR /> earliestTime: 2015-09-09T09:08:24.000+02:00<BR /> latestTime: 2015-09-09T10:08:24.000+02:00</P> <P>I also recognize, that the Event counts in the Dashboard Job differ from the displayes results:</P> <P>eventAvailableCount 71699<BR /> eventCount 71699</P> <P>I assume the error is within the postprocessing command. Is there any chance to inspect, what the postprocess does?</P> Wed, 09 Sep 2015 08:11:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206277#M60026 DennisMohn 2015-09-09T08:11:46Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206278#M60027 <P>I have re-evaluated the issue. If the timeframe is very short (earliest=rt-5m, latest=rtnow) the results are the same. As soon as I increase the searchtime, the results start to vary. </P> <P>Interval 5min =&gt; 1072 results (dashboard) vs. 1073 results (search) =&gt; both real-time changing, OK!<BR /> Interval 10min =&gt; 1850 results vs. 2280 results <BR /> Interval 30min =&gt; 1672 results vs. 6251 results <BR /> Interval 60min =&gt; 1875 results va. 12046 </P> <P>I don't see any reason why the real-time dashboard starts to drop results if the interval increases...</P> Wed, 09 Sep 2015 13:01:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206278#M60027 DennisMohn 2015-09-09T13:01:16Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206279#M60028 <P>Log There is also a link to "search.log" to the top of the inspector.</P> <P>Has been output is the number of the search process on the information in the "job inspector". <BR /> Please see what the difference in the number has come out at any stage.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/ViewsearchjobpropertieswiththeJobInspector">http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/ViewsearchjobpropertieswiththeJobInspector</A></P> Thu, 10 Sep 2015 03:36:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206279#M60028 HiroshiSatoh 2015-09-10T03:36:37Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206280#M60029 <P>For example, What happens if you specify the index results?</P> Fri, 11 Sep 2015 00:07:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206280#M60029 HiroshiSatoh 2015-09-11T00:07:29Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206281#M60030 <P>I don't see any errors in the search.log </P> <P>What do you mean by "specifying index results"?</P> Fri, 11 Sep 2015 13:11:41 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206281#M60030 DennisMohn 2015-09-11T13:11:41Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206282#M60031 <P>Any errors found?</P> <P>Make sure there is no difference in the index that are used in the search.<BR /> There may be a difference in the index to use in the difference of authority.</P> Thu, 24 Sep 2015 10:05:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-real-time-post-process-dashboard-showing-different/m-p/206282#M60031 HiroshiSatoh 2015-09-24T10:05:09Z