- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inconsistent Search results
Hi,
I am having some inconsistent search results and I'm not terribly sure why.
search #1:
earliest=-7d latest=-2h sourcetype=x type=delta status=fatal | ctable type status
Which returns:
type fatal TOTAL
1 delta 658 658
2 TOTAL 658 658
search #2:
earliest=-7d latest=-2h sourcetype=x type=* status=fatal | ctable type status
Which returns:
type fatal TOTAL
1 delta 861 861
2 full 34 34
3 TOTAL 895 895
The searches are running over the same period of time but returning differing results. I've confirmed that all my indexers are available.
Thanks
Kate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
When you search for type=delta
in part of the search before the first pipe character, we use the heuristic optimization that the value of the field/value comparison, here delta
is indexed. I presume that this heuristic fails here. You can fix this by changing "type" in fields.conf to not be an indexed field, at the consequence of some searches being slower.
You can find the problematic events using:
earliest=-7d latest=-2h sourcetype=x NOT delta status=fatal | search type=delta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the 861 count again....
type fatal TOTAL
1 delta 861 861
2 TOTAL 861 861
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
what results do you get if you change your first search to: earliest=-7d latest=-2h sourcetype=x status=fatal | search type=delta | ctable type status
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""