Inconsistent Search results

Kate_Lawrence-G · ‎02-28-2012

Hi,

I am having some inconsistent search results and I'm not terribly sure why.

search #1:

earliest=-7d latest=-2h sourcetype=x  type=delta status=fatal | ctable type status

Which returns:

    type    fatal   TOTAL
1   delta   658     658
2   TOTAL   658     658

search #2:

earliest=-7d latest=-2h sourcetype=x  type=* status=fatal | ctable type status

Which returns:

    type       fatal    TOTAL
1   delta      861      861
2   full       34       34
3   TOTAL      895      895

The searches are running over the same period of time but returning differing results. I've confirmed that all my indexers are available.

Thanks

Kate

Stephen_Sorkin · ‎03-05-2012

When you search for type=delta in part of the search before the first pipe character, we use the heuristic optimization that the value of the field/value comparison, here delta is indexed. I presume that this heuristic fails here. You can fix this by changing "type" in fields.conf to not be an indexed field, at the consequence of some searches being slower.

You can find the problematic events using:

earliest=-7d latest=-2h sourcetype=x  NOT delta status=fatal | search type=delta

Kate_Lawrence-G · ‎02-28-2012

I get the 861 count again....

     type   fatal    TOTAL

1 delta 861 861
2 TOTAL 861 861

Stephen_Sorkin · ‎02-28-2012

what results do you get if you change your first search to: earliest=-7d latest=-2h sourcetype=x status=fatal | search type=delta | ctable type status

Inconsistent Search results

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today