Dashboards & Visualizations

Why would the SPL run in the Search App give different results than the same SPL run in a d/b panel?

genesiusj
Builder

Hello,

UPDATED.
Does anyone have any ideas? Thank you.

Here is my search; time range is All time.

 

 

index=d* host=n3* source="/opt/d.properties"
| diff
| rex max_match=0 field=_raw "(?<=[\n\r])\+(?<activated>(\#.*)|.*)"
| rex max_match=0 field=_raw "(?<=[\n\r])\-(?<inactivated>(\#.*)|.*)"
| table _time, activated, inactivated

 

 

The results are exactly what I am looking for.

 

 

2020-06-10 07:24:43	
#appinit.url.business=/DAY/tempdown.jsp
appinit.url.override=/DAY/emergencyPage

 

 

# Means the tempdown.jsp was commented out (inactivated). No # means emergencyPage was activated.

However, when the search code is added to a new dashboard panel, the results are not the same. Here is the XML code. Either they are the earliest events; or no results at all.

 

 

        <search>
          <query>index=d* host=n3* source="/opt/d.properties"
| diff
| rex max_match=0 field=_raw "(?&lt;=[\n\r])\+(?&lt;activated&gt;(\#.*)|.*)"
| rex max_match=0 field=_raw "(?&lt;=[\n\r])\-(?&lt;inactivated&gt;(\#.*)|.*)"
| table _time, activated, inactivated</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>

 

 

Why would the SPL run in the Search App give different results than the same SPL run in a d/b panel?

 

Stay safe and healthy, you and yours.

Thanks and God bless,
Genesius

Labels (2)
Tags (1)
0 Karma

efavreau
Motivator

Hi @genesiusj!

When you port your query into a dashboard, are you using copy/paste? Depending on the apps and fonts involved, there are auto-corrected characters. For instance a dash may be converted into an m-dash when an n-dash is needed  (these are things I learned when I was zapped with a similar problem), etc. Or maybe when you put the code into the dashboard, it wasn't escaped for the xml. Play with different variations to make sure the exact-correct code appears in your dashboard. Don't look quickly and say "it is", look real hard, and know it is identical. Maybe even type it in by hand with no copy/paste.

This may not be it, but I lost a lot of time not realizing I should make sure every time I run into something like this. Now I don't involve email or office or other apps. Plain text always. Maybe this will help.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

genesiusj
Builder

@efavreau 

Thanks for your reply.

There is no copy-n-paste of code from the dashboard to a search. I click the search magnifying glass at the bottom right of the panel. The results in this search page do not match those in the dashboard.

Thanks and God bless,
Genesius

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

There are a number of possible things that could happen here.  I don't use diff, because it's finicky and you can usually make things work under more control if you just code it yourself.  Additionally, you are losing the _time information for the next-to-the-last event. 

 

 

index=d* host=n3* source="/opt/d.properties"
| head 2
| rex field=_raw "^(?<activated>[^#].*)"
| rex field=_raw "^(?<inactivated>[#].*)"
| table _time, activated, inactivated

 

 

The above code should provide the two most recent events, most recent first, and separate the _raw data into two columns.  The right column will be used for inactivated info, the left for activated info, no matter what order they occurred in.

 

Run that and take a look at the info and the _time, then compare to your two outputs and see if there is any obvious reason.

Pay attention to whether the most recent record has a future _time, which may cause your symptoms, but couldn't be detected based on your code. IF that were it, then simply fill in the "latest" in your xml with +1d or some similar value.

  

0 Karma

genesiusj
Builder

@DalJeanis 

Thank you for your reply.

The problem with using head is that the _raw is 43 lines. The head command appears to be only pulling the first line. While the diff command is pulling all 43 lines from both files, comparing the lines, and displaying only the changes between the 2 events.

Screenshot - 6_19_2020 , 10_11_59 AM.png

Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

images.jfif
Being playful. 😁

I'm surprised no one has responded or is following this post.

Did I post this incorrectly?

Thanks and God bless,
Genesius 

0 Karma

anilchaithu
Builder

@genesiusj 

It should not give different results.

Are you the one launching the dashboard as well? 

Can you please do a debug by running the search manually in both search app and dbconnect app for the same time range.

Does it return the same number of events? 

 

 

0 Karma

genesiusj
Builder

@anilchaithu 

Thanks for replying.

I am the designer and launcher of the dashboard.

Why dbconnect app?

Thanks and God bless,
Genesius

0 Karma

neusse
Path Finder

It looks like you are doing an all time search.  If the data is coming in at a good rate then they would not have the same results.  it would be impossible for them to see the same exact data.

If you change the search to look for a particular hour of data and the two searches use that same  hour then it should match. 

You would not match if you searched relative for the last few hours as well.  If the start and end are the same then the results should be the same.

0 Karma

genesiusj
Builder

@neusse 

Thanks for replying.

All time search will not affect the events. The data is/are static properties files. They are infrequently updated. However, when they are updated without us knowing, trouble happens.

So my search is performing a diff between the latest properties file and the previous one. As these files are prior to June 5th, there are is no possibility of the files having changed since ingestion.

The issue is why the SPL, which is the same code in the dashboard, giving different results.

Thanks and God bless,
Genesius

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...