Archive

Why I get less events in verbose-Mode?

Path Finder

Hello everybody,
I have a problem with incomplete searchresults.
When I use clever mode I get 1125 events but in verbose-mode I only get 969.
I wounder why this behaviour because verbose should be the exacter extraction, so I thought about memory-limits but cant find any Error in the search.log
Another indication for a memory-issue is, if I limit the fields to response to one, f.e. "...| fields + D_T2m |... I also get the 1125 Events.

How can I easy verify my results to know I can trust them? I cant find any Error in the log or at least a warning that would indicate missing values.

best regards
Grisuji

P.S. as a background-information, I also use an append in this search which append another kind of data, but the results I miss are from the main-search and the append give not very much events: ~2000 - not very much. When I skip the append, the results are also complete, which points to a memory-issue.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

With append it is matter of how many events subsearch has to parse rather than how many events it has to display. You ensure that you get only required events in your base search for both main and appended search. If you have to work only with one column have you tried appendcols instead of append?

Also if you run the two searches separately in verbose mode, do you still see issue with one or both of them?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Esteemed Legend

Do not use subsearch-based commands such as append and join.

0 Karma

Path Finder

Thank you, is this a general recommendation? Is the append a reason why Splunk> can't warn for incomplete results?

0 Karma

Esteemed Legend

Yes, it is mostly silent, unless you go digging for it after the fact.

0 Karma

SplunkTrust
SplunkTrust

With append it is matter of how many events subsearch has to parse rather than how many events it has to display. You ensure that you get only required events in your base search for both main and appended search. If you have to work only with one column have you tried appendcols instead of append?

Also if you run the two searches separately in verbose mode, do you still see issue with one or both of them?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Path Finder

Thank you, I have refactored the query so it comes without an append and it works. The only thing I miss is an message in cases of memory-issues respectivly incomplete results. It gives a very bad tast not to know all is complete.

0 Karma

SplunkTrust
SplunkTrust

In terms of documentation what I can suggest is going to the following for choosing correct method for correlation:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation

Please accept this answer if this has helped you, or else provide your own answer and accept the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma