Splunk Search

Inconsistent result between events and statistics- is this a limitation of custom scripts or configuration issue?

johanhakim
Explorer

Hi,

I have a custom Python script developed in Splunk where it will translate Chinese characters to English. The custom search was built following the guide below:

https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/

However, when we perform a search, the no. of Events does not tally with Statistics. For example, there are total of 8 events but only 1 in statistics. Sometimes it tallies, but most of the time it doesn't.

Would like to know if this is a limitation within Splunk when using custom scripts or is there some configuration that is not taking place? Appreciate the help.

sample.PNGsample2.PNGsample3.PNG

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not possible to tell what is going on without more information.

Having said that, the number of statistic events is the number of "rows" in the statistics table at the end of the search not the number of original events found at the beginning of the search query.

Something in your SPL is either filtering out events or aggregating events in order to reduce the number of rows in the statistics table.

One possibility, given your scenario, is that the python script is failing to return "translated" events in some circumstances. Does your custom command have any debugging capabilities or tracing written to its log to help you understand what is going on?

0 Karma

johanhakim
Explorer

Yes, I suspect that the SPL might be causing the inconsistency.

Below is a sample of my SPL:

index=idnxame host=*host1* EventCode=*
| rename Message as cntrfncn_Message
| table _time,cntrfncn_Message,EventCode
| cntranslate

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There doesn't appear to be anything in the SPL which would remove events from the list returned by the initial search so it is likely to be the custom command which is not returning events in some circumstances.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...