Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Inconsistent Search results

Kate_Lawrence-G
Contributor
‎02-28-2012 09:00 AM

Hi,

I am having some inconsistent search results and I'm not terribly sure why.

search #1:

earliest=-7d latest=-2h sourcetype=x  type=delta status=fatal | ctable type status

Which returns:

    type    fatal   TOTAL
1   delta   658     658
2   TOTAL   658     658

search #2:

earliest=-7d latest=-2h sourcetype=x  type=* status=fatal | ctable type status

Which returns:

    type       fatal    TOTAL
1   delta      861      861
2   full       34       34
3   TOTAL      895      895

The searches are running over the same period of time but returning differing results. I've confirmed that all my indexers are available.

Thanks

Kate

Tags (3)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-05-2012 09:29 AM

When you search for type=delta in part of the search before the first pipe character, we use the heuristic optimization that the value of the field/value comparison, here delta is indexed. I presume that this heuristic fails here. You can fix this by changing "type" in fields.conf to not be an indexed field, at the consequence of some searches being slower.

You can find the problematic events using:

earliest=-7d latest=-2h sourcetype=x  NOT delta status=fatal | search type=delta
Reply

Kate_Lawrence-G
Contributor
‎02-28-2012 01:00 PM

I get the 861 count again....

     type   fatal    TOTAL

1 delta 861 861
2 TOTAL 861 861

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎02-28-2012 10:35 AM

what results do you get if you change your first search to: earliest=-7d latest=-2h sourcetype=x status=fatal | search type=delta | ctable type status

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...