Splunk Search

Can the results of the same search vary between use in a search bar and a dashboard?

Explorer

hi,

I am writing the following search query in the dashboard panel

sourcetype=xml22 |where $field1$ = 7|search Text="*Launched application: Automatic Registration"| eval Name = "Automatic Registration launch" |stats count by Name|table Name count
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: FilmView"| eval Name = "FilmView launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Renal"| eval Name = "NM Renal launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Viewer"| eval Name = "NM Viewer launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoSPECT Pro"| eval Name = "AutoSPECT Pro launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Launched application: AVA"| eval Name = "AVA launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Bone Mineral Density"| eval Name = "Bone Mineral Density launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Brain Perfusion"| eval Name = "Brain Perfusion launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Cardiac Viewer"| eval Name = "Cardiac Viewer launch" |stats count by Name|table Name count]*

and when i am performing single searches for the above group search like
sourcetype=xml22 |search Text="*Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count*

the results are varying.

The query says that when the text in Text="Launched application: AutoSPECT Pro" arrives then print the name as given in eval Name = "AutoSPECT Pro launch" and then give the count of its occurrence as in stats count by Name|table Name count

This count is same for a few searches but its varying for others. Kindly help:)

0 Karma

Explorer

I'm seeing the same thing on one of our dashboards, i do the same exact query from the search bar, vs the dashboard and get different results.

0 Karma

Path Finder

Here same issue. Within the dashboard I see a partial result while my query is exactly the same.

0 Karma

Builder

Hello,

I don't think there is a reason for the results to vary but I'm wondering if there no other way to perform your search... it seems very repetitive. What about you do something like:

sourcetype=xml22 $field1$ = 7 | stats count by Text

I know that it will return the full text and not the name you want... but after you get the stats you could use a lookup table to replace the "text" with the "name" you like or maybe | eval name=CASE(...) to change it.

It'll simplify your search command and make easier to debug...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!