Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can someone explain why Search A has 0 results, but the refined Search B has multiple results?

kmcarrol
Path Finder
‎08-07-2015 12:32 PM

Can someone explain to me how Search A can have 0 results, but the refined Search B has multiple results? They are exactly the same except that the second theoretically has a smaller result set to process, right? Index pgbs has ~650,000 events.

Search A (0 results):

index=pgbs | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1

Search B (188 results):

index=pgbs GtinToAsset="*,*" | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1
Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎08-09-2015 12:40 PM

I suspect you're running with fast mode and your GtinToAsset field is auto-extracted?

In order for your indexers to satisfy the first base search index=pgbs no field extraction on events is actually needed to satisfy the search criteria, but your second search index=pgbs GtinToAsset="*,*" requires the GtinToAsset field to be extracted to satisfy the search.

While your second search command makemv delim="," GtinToAsset requires the extraction to have been performed, I've seen issues where sometimes without specifying at least GtinToAsset=* in the base search in fast mode, the extraction just won't happen, thus the further commands fail for the field simply not being present.

What happens if you run the first search in Verbose mode?

0 Karma
Reply

kmcarrol
Path Finder
‎08-10-2015 06:35 AM

I was actually running in the default Smart Mode. I also tried in Verbose Mode and got the same result. But you're right, specifying GtinToAsset=* on the front end resolves the issue just like GtinToAsset=",".

It seems to me like this is a bug.

Reply

woodcock
Esteemed Legend
‎08-07-2015 06:12 PM

Are you sure it is not the other way around? If you have mismatched them, then I have a theory but as you have specified it, I am totally befuddled!

0 Karma
Reply

kmcarrol
Path Finder
‎08-09-2015 11:24 AM

If they were mismatched, then of course it would make sense to get fewer results when you add additional criteria. That's my point. 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Meet Duke Cyberwalker | A hero’s journey with Splunk

We like to say, the lightsaber is to Luke as Splunk is to Duke. Curious yet? Then read Eric Fusilero’s latest ...

The Future of Splunk Search is Here - See What’s New!

We’re excited to introduce two powerful new search features, now generally available for Splunk Cloud Platform ...

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...