Result differences?

tinylund · ‎10-14-2016

Fairly new to Splunk and I am trying to understand the reason for the difference in results and search time for the following:

Created an extracted field for a Windows log - WinTempFieldType

When I run a search for: WinTempFieldType=Error
Search takes seconds, less that a full minute and finds less than 100 results

When I run a search for: WinTempFieldType=* | search WinTempFieldType=Error
Search takes 15 minutes and finds 5,000+ results

I ran across this, because I have a report that has a table that I based off the following search: WinTempFieldType=* | stats count WinTempFieldType | sort -count | table WinTempFieldType count

When the report ran the table showed the WinTempFieldType row with Error and a count over 5,000 - but when I clicked on the error cell to drill down, the pending search only showed less than 100 results. So that is when I tried to manually replicate the issue and got the same results. Now I am just trying to understand WHY?

tinylund · ‎10-14-2016

I understand that

WinTempFieldType=* | search WinTempFieldType=Error

is a search within a search and would take longer...and I'm really not concerned with time, the number of results found is the most important, by is there such (any) difference.

Result differences?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life