Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Identical searches with different results because of dedup command

tsomod
Path Finder
‎09-21-2017 03:17 AM

Hi! I have two identical searches running on the same search head but with different time frames. What confuses me is that where the searches overlap in time, the results are different from one to the other, which doesn't make much sense to me. The two searches are:

index=XXXXXXXXXXXX sourcetype=XXXXXXXXXXX earliest=0 latest=@h | dedup src_ip sortby +_time | table src_ip,_time

and

index=XXXXXXXXXXXX sourcetype=XXXXXXXXXXX  earliest=-1h@h latest=@h | dedup src_ip sortby +_time | table src_ip,_time

As you can see the searches are identical except for the time frames. When I run the second search it results in MORE events over the last hour of the search than the first search over the same last hour. The searches are run at the same time. Any ideas why this happens?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tsomod
Path Finder
‎09-21-2017 06:15 AM

After a few hours of inspection I actually figured out what was wrong. It's the dedup command. Because the command is used on a longer timespan in the first search than in the second it is only natural that some src_ip's might be found in the first search that are not present in the second. Because of this fewer src_ip's are deduped in the second search, resulting in more events being output!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tsomod
Path Finder
‎09-21-2017 06:15 AM

After a few hours of inspection I actually figured out what was wrong. It's the dedup command. Because the command is used on a longer timespan in the first search than in the second it is only natural that some src_ip's might be found in the first search that are not present in the second. Because of this fewer src_ip's are deduped in the second search, resulting in more events being output!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-21-2017 06:56 AM

@tsomod, If your problem is resolved, please accept an answer (you can accept your own answer) to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2017 05:17 AM

Hi tsomod,
probably you're receiving logs in the meanwhile you're searching.
try to execute searches using past and fixed time frames (e.g. -1h@h @h and -2h@h -1h@h), in other words, don't use now as latest.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

tsomod
Path Finder
‎09-21-2017 06:14 AM

After a few hours of inspection I actually figured out what was wrong. It's the dedup command. Because the command is used on a longer timespan in the first search than in the second it is only natural that some src_ip 's might be found in the first search that are not present in the second. Because of this fewer src_ip's are deduped in the second search, resulting in more events being output! Thank you, however, for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...