Splunk Enterprise

help on a search wich returns random results

jip31
Motivator

Hello

When I run the search below, it returns random results!

Sometimes, 1 event is displayed and a few minutes after there is no events returned

And sometimes, it's the same event returned excepted the _time field of the vent which is not the same for even so the same hostname!

[| inputlookup host.csv 
    | table host 
    | rename host as USERNAME ] `wire` earliest=-30d latest=now 
| fields USERNAME SNR RSSI 
| eval USERNAME=upper(USERNAME) 
| eval time=strftime(_time,"%Y-%m-%d %H:%M") 
| search USERNAME=NTTA* 
| lookup all.csv HOSTNAME as USERNAME output SITE DESCRIPTION_MODEL BUILDING_CODE ROOM 
| stats last(time) as "Event time" last(RSSI) as RSSI, last(SNR) as SNR, last(DESCRIPTION_MODEL) as Model, last(SITE) as Site, last(BUILDING_CODE) as Building last(ROOM) as Room by USERNAME 
| where (RSSI >= "-72" AND RSSI <= "-77") AND SNR <= "15" 
| rename USERNAME as Hostname 
| table "Event time" Hostname RSSI SNR Model Site Building Room

 

How explain this please??

 

Labels (1)
Tags (1)
0 Karma

jip31
Motivator

I wonder if the issue is not in | where (RSSI >="-72" AND RSSI <="-77") AND SNR <"15" ?

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...