Knowledge Management

what is the difference between addinfo and search?

logloganathan
Motivator

Could anyone please provide the difference between addinfo and search
Please

Tags (2)
0 Karma
1 Solution

bmunson_splunk
Splunk Employee
Splunk Employee

These are very different commands and I can't see where the confusion is.

The search command has two uses. If it is the first command in a search request, it pulls data from the indexer that matches the terms you give it. In this case the word search is optional. If it is a subsequent command, it is a filter and any events or rows that do not match the terms get dropped.

Addinfo does not add new events or filter existing ones. It adds 4 fields about the search to every event. ( info_min_time, info_max_time, info_sid and info_search_time) This is normally used as a step in summary indexing.
See docs on addinfo for more detail or this explanation of summary indexing

View solution in original post

0 Karma

woodcock
Esteemed Legend

All | addinfo does is tell you some basic things about your search job (timepicker settings, job ID, and time that your search took); it does not change your search at all, it just adds 5 fields to every event. Adding | search will allow you to further filter your results at that point down to a more select set; it most definitely does change your search. These commands really have no commonality of any kind.

niketn
Legend

@logloganathan could you provide the reason for finding the difference between addinfo and search?

As stated in the answers below Splunk Documentation would be good place to read about and try out addinfo command.

Whenever you run a search in Search bar it runs search command For example if you run the following query:

  index=_internal

And then check the Job Inspector and open the Search Job Properties you would notice the search property as

  search index=_internal

For Sub queries search needs to be mentioned explicitly check out examples of append, appendcols and join. Generating commands do not start with search rather they start with a pipe.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.

Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

Refer to community guidelines (ironically again on Splunk Docs :)): https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines

I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

logloganathan
Motivator

1)I just reported your comment and i never down-voted.
2) I want to get difference between addinfo and search( when i teach the Splunk query and i got this question from my colleagues) here i just struck.There is nothing available for difference between addinfo and search
3)you have not provided answer that i was looking for but you are asking why you need?

you should give respect for all the questions posted in the community
There are also who ask questions like "How to start the Splunk"
This is one example and i can say lot of new example
https://answers.splunk.com/answers/462710/are-there-any-splunk-training-materials-for-new-us.html

Also the document that you mentioning say "we can downvote"

https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines

"Be honest. Above all, be honest. If you see misinformation, vote it down. Insert comments indicating what, specifically, is wrong. Even better -- edit and improve the information! Provide stronger, faster, superior answers of your own!"

Please give respect for me. Thanks for providing the opportunity to share my opinion

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

These are very different commands and I can't see where the confusion is.

The search command has two uses. If it is the first command in a search request, it pulls data from the indexer that matches the terms you give it. In this case the word search is optional. If it is a subsequent command, it is a filter and any events or rows that do not match the terms get dropped.

Addinfo does not add new events or filter existing ones. It adds 4 fields about the search to every event. ( info_min_time, info_max_time, info_sid and info_search_time) This is normally used as a step in summary indexing.
See docs on addinfo for more detail or this explanation of summary indexing

0 Karma

skoelpin
SplunkTrust
SplunkTrust

| addinfo is used to add search meatdata to the search results where search is used to search events that have been indexed. addinfo has special use cases such as ITSI where search is much more common.

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addinfo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...