- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can the results of the same search vary betwee...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can the results of the same search vary between use in a search bar and a dashboard?
hi,
I am writing the following search query in the dashboard panel
sourcetype=xml22 |where $field1$ = 7|search Text="*Launched application: Automatic Registration"| eval Name = "Automatic Registration launch" |stats count by Name|table Name count
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: FilmView"| eval Name = "FilmView launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Renal"| eval Name = "NM Renal launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Viewer"| eval Name = "NM Viewer launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoSPECT Pro"| eval Name = "AutoSPECT Pro launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Launched application: AVA"| eval Name = "AVA launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Bone Mineral Density"| eval Name = "Bone Mineral Density launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Brain Perfusion"| eval Name = "Brain Perfusion launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Cardiac Viewer"| eval Name = "Cardiac Viewer launch" |stats count by Name|table Name count]*
and when i am performing single searches for the above group search like
sourcetype=xml22 |search Text="*Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count*
the results are varying.
The query says that when the text in Text="Launched application: AutoSPECT Pro" arrives then print the name as given in eval Name = "AutoSPECT Pro launch" and then give the count of its occurrence as in stats count by Name|table Name count
This count is same for a few searches but its varying for others. Kindly help:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing the same thing on one of our dashboards, i do the same exact query from the search bar, vs the dashboard and get different results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here same issue. Within the dashboard I see a partial result while my query is exactly the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I don't think there is a reason for the results to vary but I'm wondering if there no other way to perform your search... it seems very repetitive. What about you do something like:
sourcetype=xml22 $field1$ = 7 | stats count by Text
I know that it will return the full text and not the name you want... but after you get the stats you could use a lookup table to replace the "text" with the "name" you like or maybe | eval name=CASE(...) to change it.
It'll simplify your search command and make easier to debug...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
