All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk query discrepancy

shangshin
Builder
‎10-09-2014 08:18 AM

Hi,
I am sending apache web access log to splunk with one of the fields called user_id and I can see the field on the left panel.
Can anyone tell me the difference between the 2 queries below? I think the search result should be the same for both queries. However, the first query returns 0 result but the second query returned results with the field user_id = myuserid

Any idea?

sourcetype="apache.web.access" user_id="myuserid" | table _time, user_id, _raw

sourcetype="apache.web.access" | search user_id="myuserid" | table _time, user_id, _raw
Reply

peter_krammer
Communicator
‎10-09-2014 09:24 AM

I have the same problem when I use automatic lookups.
If that is not the case it may be that you are searching in Fast or Smart Mode and the user_id field is not available in the first search run.

Your second query is differently handled by splunk because first a search is done on all data to find data with sourcetype "apache.web.access" and than a new search on the result data is startet, while the first query only runs one search against the data (which is more performant).

So try to change your search mode I hope it helps. (It did not in my case with the automatic lookup).

0 Karma
Reply

shangshin
Builder
‎10-09-2014 10:01 AM

Thanks for the response.

I just tried all 3 modes, fast, smart, verbose, but the result is still the same.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...