- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: what is the difference between addinfo and sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are very different commands and I can't see where the confusion is.
The search command has two uses. If it is the first command in a search request, it pulls data from the indexer that matches the terms you give it. In this case the word search is optional. If it is a subsequent command, it is a filter and any events or rows that do not match the terms get dropped.
Addinfo does not add new events or filter existing ones. It adds 4 fields about the search to every event. ( info_min_time, info_max_time, info_sid and info_search_time) This is normally used as a step in summary indexing.
See docs on addinfo for more detail or this explanation of summary indexing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All | addinfo does is tell you some basic things about your search job (timepicker settings, job ID, and time that your search took); it does not change your search at all, it just adds 5 fields to every event. Adding | search will allow you to further filter your results at that point down to a more select set; it most definitely does change your search. These commands really have no commonality of any kind.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@logloganathan could you provide the reason for finding the difference between addinfo and search?
As stated in the answers below Splunk Documentation would be good place to read about and try out addinfo command.
Whenever you run a search in Search bar it runs search command For example if you run the following query:
index=_internal
And then check the Job Inspector and open the Search Job Properties you would notice the search property as
search index=_internal
For Sub queries search needs to be mentioned explicitly check out examples of append, appendcols and join. Generating commands do not start with search rather they start with a pipe.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.
Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.
Refer to community guidelines (ironically again on Splunk Docs :)): https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines
I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1)I just reported your comment and i never down-voted.
2) I want to get difference between addinfo and search( when i teach the Splunk query and i got this question from my colleagues) here i just struck.There is nothing available for difference between addinfo and search
3)you have not provided answer that i was looking for but you are asking why you need?
you should give respect for all the questions posted in the community
There are also who ask questions like "How to start the Splunk"
This is one example and i can say lot of new example
https://answers.splunk.com/answers/462710/are-there-any-splunk-training-materials-for-new-us.html
Also the document that you mentioning say "we can downvote"
https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines
"Be honest. Above all, be honest. If you see misinformation, vote it down. Insert comments indicating what, specifically, is wrong. Even better -- edit and improve the information! Provide stronger, faster, superior answers of your own!"
Please give respect for me. Thanks for providing the opportunity to share my opinion
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are very different commands and I can't see where the confusion is.
The search command has two uses. If it is the first command in a search request, it pulls data from the indexer that matches the terms you give it. In this case the word search is optional. If it is a subsequent command, it is a filter and any events or rows that do not match the terms get dropped.
Addinfo does not add new events or filter existing ones. It adds 4 fields about the search to every event. ( info_min_time, info_max_time, info_sid and info_search_time) This is normally used as a step in summary indexing.
See docs on addinfo for more detail or this explanation of summary indexing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| addinfo is used to add search meatdata to the search results where search is used to search events that have been indexed. addinfo has special use cases such as ITSI where search is much more common.
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addinfo
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
