Splunk Search

Inconsistent Search results

Kate_Lawrence-G
Contributor

Hi,

I am having some inconsistent search results and I'm not terribly sure why.

search #1:

earliest=-7d latest=-2h sourcetype=x  type=delta status=fatal | ctable type status

Which returns:

    type    fatal   TOTAL
1   delta   658     658
2   TOTAL   658     658

search #2:

earliest=-7d latest=-2h sourcetype=x  type=* status=fatal | ctable type status

Which returns:

    type       fatal    TOTAL
1   delta      861      861
2   full       34       34
3   TOTAL      895      895

The searches are running over the same period of time but returning differing results. I've confirmed that all my indexers are available.

Thanks

Kate

Tags (3)

Stephen_Sorkin
Splunk Employee
Splunk Employee

When you search for type=delta in part of the search before the first pipe character, we use the heuristic optimization that the value of the field/value comparison, here delta is indexed. I presume that this heuristic fails here. You can fix this by changing "type" in fields.conf to not be an indexed field, at the consequence of some searches being slower.

You can find the problematic events using:

earliest=-7d latest=-2h sourcetype=x  NOT delta status=fatal | search type=delta

Kate_Lawrence-G
Contributor

I get the 861 count again....

     type   fatal    TOTAL

1 delta 861 861
2 TOTAL 861 861

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

what results do you get if you change your first search to: earliest=-7d latest=-2h sourcetype=x status=fatal | search type=delta | ctable type status

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...