Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can someone explain why Search A has 0 results, but the refined Search B has multiple results?

kmcarrol
Path Finder
‎08-07-2015 12:32 PM

Can someone explain to me how Search A can have 0 results, but the refined Search B has multiple results? They are exactly the same except that the second theoretically has a smaller result set to process, right? Index pgbs has ~650,000 events.

Search A (0 results):

index=pgbs | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1

Search B (188 results):

index=pgbs GtinToAsset="*,*" | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1
Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎08-09-2015 12:40 PM

I suspect you're running with fast mode and your GtinToAsset field is auto-extracted?

In order for your indexers to satisfy the first base search index=pgbs no field extraction on events is actually needed to satisfy the search criteria, but your second search index=pgbs GtinToAsset="*,*" requires the GtinToAsset field to be extracted to satisfy the search.

While your second search command makemv delim="," GtinToAsset requires the extraction to have been performed, I've seen issues where sometimes without specifying at least GtinToAsset=* in the base search in fast mode, the extraction just won't happen, thus the further commands fail for the field simply not being present.

What happens if you run the first search in Verbose mode?

0 Karma
Reply

kmcarrol
Path Finder
‎08-10-2015 06:35 AM

I was actually running in the default Smart Mode. I also tried in Verbose Mode and got the same result. But you're right, specifying GtinToAsset=* on the front end resolves the issue just like GtinToAsset=",".

It seems to me like this is a bug.

Reply

woodcock
Esteemed Legend
‎08-07-2015 06:12 PM

Are you sure it is not the other way around? If you have mismatched them, then I have a theory but as you have specified it, I am totally befuddled!

0 Karma
Reply

kmcarrol
Path Finder
‎08-09-2015 11:24 AM

If they were mismatched, then of course it would make sense to get fewer results when you add additional criteria. That's my point. 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...