Archive

Splunk Api query returns inconsistent results

Explorer

Hello,

I am getting inconsistent results from splunk for below queries.

query1:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3.... till userid=user50) | stats values(userid), values(ip)  by ip

query2:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3) | stats values(userid, values(ip)  by ip

(basically i have less number of userid in the query2).

The first query returns 3 records for user1 which is not correct and the second query returns 5 records for user1 which is correct.

I am using splunk 1.3.2 jar to execute these queries. Any help greatly appreciated.

Here is code snippet,

JobArgs job = new JobArgs();
jobar.setExecutonMode(JobAgs.ExecutionMode.Blocking);
jobar.setLatestTime(latesttime); //latesttime: yesterday
jobar.setEarliestTime(earliesttime) //earliesttime: yesterday - 10days

Service service = getSplunkServiceConnection();
Job job = service.getJobs.create(query, jobar);
while (!job.isDone()){
   try{
        Thread.sleep(500);
   } catch(InterrruptedExecption e){
  }
}

// process the result
JobResultsArgs  result = new JobResultsArgs();
result.setOutputMode(OutputMode.JSON);
InputStream resultstream = job.getResults(result);
ResultsReader resultreader = new ResultsReaderJson(resultstream);
while(HashMap<String,String> event = resultreader.getNextEvent()) ! = null){
  String ip = event.get("ip");
  String id = event.get("userid");
}
0 Karma

SplunkTrust
SplunkTrust

It sounds like you're exceeding the limits of the stats command (50000 events by default). I would increase the limit and use userid=* instead if you want to search for them all. You could do userid<51 to get the first 50 too.

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Limitsconf

Please note the following when handling limits.conf in a distributed environment:
# limits.conf settings and DISTRIBUTED SEARCH
# Unlike most settings which affect searches, limits.conf settings are not
# provided by the search head to be used by the search peers. This means
# that if you need to alter search-affecting limits in a distributed
# environment, typically you will need to modify these settings on the
# relevant peers and search head for consistent results.

Explorer

Thanks for your reply. I will change the stats and give a try.

Userid1,2,3.. is an example. it can be value of anything like "rob","john","123ad"...

0 Karma