Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Surprising behavior of nav collections of saved searches

Wilcooley
Path Finder
‎11-15-2011 11:47 AM

I have collections with matches that overlap; for example, I might have an 'SMTP Errors' search that would match both <saved match="SMTP"> and <saved match="Errors"> in different collections. Clearly this is what the attribute source="all" is for, versus source="unclassified".

What is surprising, however, is that searches that have matched with source="all" will, later in the XML, also match a source="classified", so that the catch-all at the end of the default nav menu, "<saved source="unclassified">", includes the searches that have been included in collection. I would expect that they would not match the latter. It sorta defeats the point of making collections, doesn't it?

Am I missing something here? Is this a known bug or is this actually desirable behavior for some use case that I cannot think of?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-17-2011 08:15 AM

This is deliberate. The assumption is that if you're using all, then using any other sources or matches later, that all should not consume all the items. If you use source="all", and it did consume all matches, then all subsequent collections will be empty. I'm not sure why that behavior would be useful.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-17-2011 08:15 AM

This is deliberate. The assumption is that if you're using all, then using any other sources or matches later, that all should not consume all the items. If you use source="all", and it did consume all matches, then all subsequent collections will be empty. I'm not sure why that behavior would be useful.

0 Karma
Reply
Solved! Jump to solution

Wilcooley
Path Finder
‎11-17-2011 10:20 AM

Do I understand correctly then that it is not possible to have items that appear in multiple collections using match but do not appear in the final catch-all of unclassified items?

I cannot see why the case you present would be useful either, but that seems like a degenerate case, like using "DELETE * FROM table" in SQL--both meant to be paired with a filter, using match in this case.

Perhaps implicit in your answer is that source="all" would consume all of the items before the match is supplied? That would also be surprising.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...