Splunk Search

Inconsistent Search results

Kate_Lawrence-G
Contributor

Hi,

I am having some inconsistent search results and I'm not terribly sure why.

search #1:

earliest=-7d latest=-2h sourcetype=x  type=delta status=fatal | ctable type status

Which returns:

    type    fatal   TOTAL
1   delta   658     658
2   TOTAL   658     658

search #2:

earliest=-7d latest=-2h sourcetype=x  type=* status=fatal | ctable type status

Which returns:

    type       fatal    TOTAL
1   delta      861      861
2   full       34       34
3   TOTAL      895      895

The searches are running over the same period of time but returning differing results. I've confirmed that all my indexers are available.

Thanks

Kate

Tags (3)

Stephen_Sorkin
Splunk Employee
Splunk Employee

When you search for type=delta in part of the search before the first pipe character, we use the heuristic optimization that the value of the field/value comparison, here delta is indexed. I presume that this heuristic fails here. You can fix this by changing "type" in fields.conf to not be an indexed field, at the consequence of some searches being slower.

You can find the problematic events using:

earliest=-7d latest=-2h sourcetype=x  NOT delta status=fatal | search type=delta

Kate_Lawrence-G
Contributor

I get the 861 count again....

     type   fatal    TOTAL

1 delta 861 861
2 TOTAL 861 861

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

what results do you get if you change your first search to: earliest=-7d latest=-2h sourcetype=x status=fatal | search type=delta | ctable type status

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...