Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Difference between the results from a visualizations and a regular search

cristiad
New Member
‎08-13-2018 04:17 AM

Hi there,

I have a strange situation. When I'm using a base search into a dashboard, I have displayed only 4 devices even if when I run the query as a regular search in search app I obtain a greater value.

Any ideas?

Thank you!

alt text

Preview file
8 KB
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎08-21-2018 02:43 AM

This seems like you might have a knowledge object { field extraction or a lookup } that isnt set to export globally.

Can you share your base search?

,This sounds to me like you have some knowledge objects { lookup, field extraction } that dont have global permissions or is exported outside of an app context..

Can you share your base search?

0 Karma
Reply

niketn
Legend
‎08-21-2018 02:43 AM

@cristiad by base search do you imply you are using Post-Processing? Is the final command in your base search a transforming command or streaming command? Will you be able to provide the query for existing dashboard?

Make sure that you do not return all the fields using base search for post-processing and rather use transforming commands like stats. Refer to Splunk Docs for Post-Processing Best Practices.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nadlurinadluri
Communicator
‎08-14-2018 03:49 PM

Can you please elaborate on this? Are you saying that you are using the same query and getting different results when you run it as adhoc regular search and when it is in a dashboard?

0 Karma
Reply

cristiad
New Member
‎08-21-2018 01:57 AM

Yes, the same search is used and I obtain different results.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...