Splunk Search

Data disappears in expanded search time

michaeler
Communicator

I'm trying to have a timechart showing the count of events by a category grouped by week. The search time is controlled by a radio button on the dashboard with options from 1w - 12 weeks with the end date set to @w. I then have a drilldown that shows a table with more info about each event for that category in that time range.

mysearch ....
| dedup case_id
| timechart span=1w count by case_category

The chart looks fine but when I click on certain sections to load the drilldown, much more data appears than was suggested by the count in the timechart. For instance, looking at Nov 19-25, in the timechart it shows 26 events, but when I go to the drilldown it shows 61.

When I open the drilldown search in Search, the issue seems to involve expanding the time range beyond one week. If I change the range from Nov 19-25 to Nov 19-27, the data from Nov 22-24 is either erased or reduced.

Nov 19-25 stats count results:
Nov 19: null
Nov 20: 8
Nov 21: 14
Nov 22: 19 **
Nov 23: 20 **
Nov 24: 1 **
Nov 25: null

Nov 19-28 stats count results:
Nov 19: null
Nov 20: 8
Nov 21: 14
Nov 22: 5 **
Nov 23: null **
Nov 24: null **
Nov 25: null
Nov 26: null
Nov 27: 35
Nov 28: 1

Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I suspect there are a couple of things going on.

What is your <drilldown> logic in the XML for picking the start and end data for the drilldown search. If it's not giving you a 7 day range then it seems likely there's an issue there.

Secondly, your primary search is doing dedup case_id.

If your drilldown search is ALSO doing dedup case_id but on a shorter time range, then it's possible that case ids from a date outside the drilldown range that have been deduped are now being counted, i.e. consider

case_id="ABC123" (26 November and also 22 November).

When you dedup on 19-25 November the ABC123 is still counted for 22 November, but when you search 19-27 November, the ABC123 is FIRST found on 26 November, so the count of ABC123 from 22nd November is now removed due to the dedup.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

I suspect there are a couple of things going on.

What is your <drilldown> logic in the XML for picking the start and end data for the drilldown search. If it's not giving you a 7 day range then it seems likely there's an issue there.

Secondly, your primary search is doing dedup case_id.

If your drilldown search is ALSO doing dedup case_id but on a shorter time range, then it's possible that case ids from a date outside the drilldown range that have been deduped are now being counted, i.e. consider

case_id="ABC123" (26 November and also 22 November).

When you dedup on 19-25 November the ABC123 is still counted for 22 November, but when you search 19-27 November, the ABC123 is FIRST found on 26 November, so the count of ABC123 from 22nd November is now removed due to the dedup.

 

michaeler
Communicator

I was ready to say the dedup wasn't the issue because I thought I previously crossed that off.

The case_id is only supposed to have 2 events; when the case is opened and closed. So I thought each id would only appear twice and the dedup was working in my favor. It looks like I didn't do my due diligence and make sure they're not updated again.

Thanks for forcing me to check back and confirm the case_id's do repeat. I'm glad the solution is simple and something I overlooked.

0 Karma

Pat
Path Finder

I dunno.  I have somewhat of the same issue.  A search result shows while its searching and will stay if lower than a certain number of days but then disapears when the search completes over a number of days that is not consistant.  So seems related to the length of time of the search.  My search has no dedup in it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...