Splunk Enterprise

help on a search wich returns random results

jip31
Motivator

Hello

When I run the search below, it returns random results!

Sometimes, 1 event is displayed and a few minutes after there is no events returned

And sometimes, it's the same event returned excepted the _time field of the vent which is not the same for even so the same hostname!

[| inputlookup host.csv 
    | table host 
    | rename host as USERNAME ] `wire` earliest=-30d latest=now 
| fields USERNAME SNR RSSI 
| eval USERNAME=upper(USERNAME) 
| eval time=strftime(_time,"%Y-%m-%d %H:%M") 
| search USERNAME=NTTA* 
| lookup all.csv HOSTNAME as USERNAME output SITE DESCRIPTION_MODEL BUILDING_CODE ROOM 
| stats last(time) as "Event time" last(RSSI) as RSSI, last(SNR) as SNR, last(DESCRIPTION_MODEL) as Model, last(SITE) as Site, last(BUILDING_CODE) as Building last(ROOM) as Room by USERNAME 
| where (RSSI >= "-72" AND RSSI <= "-77") AND SNR <= "15" 
| rename USERNAME as Hostname 
| table "Event time" Hostname RSSI SNR Model Site Building Room

 

How explain this please??

 

Labels (1)
Tags (1)
0 Karma

jip31
Motivator

I wonder if the issue is not in | where (RSSI >="-72" AND RSSI <="-77") AND SNR <"15" ?

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...