Splunk Search

Post processing gives incorrect results

Kaand
Explorer

Hello Everyone,

I am new to the splunk and this community. I have searched everyone for my problem but i could not figure out what is wrong. Basically i am using base search and post process search for a dashboard.  My base search is something like this:

 

 

<search id="basesearch1">
<query>index=index1 | fields field1, field2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

 

 

my second base search that uses first base search:

 

 

<search base="basesearch1" id="basesearch2">
<query>search field1=value1</query>
</search>

 

 

and finally the post process search is:

 

 

<search base="basesearch2">
<query>stats count(field1) as count by field2 | sort -count | head 5</query>
</search>

 

 

When i apply it as a single search query like this there is no problem:

 

 

index=index1 | fields field1, field2 | search field1=value1 | stats count(field1) as count by field2 | sort -count | head 5

 

 

however, in the dashboard the count numbers does not match with the above search query. I used 2 base searches because in the same dashboard, I need to use basesearch1 and basesearch2 in different panels as well. 

Labels (1)
1 Solution

bowesmana
SplunkTrust
SplunkTrust

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

Kaand
Explorer

Actually if a merge basesearch1 and 2 into one basesearch and use the postprocess after that, the result i get from the post process is fairly similar to the results i get from the search without basesearch (but not the same).  Therefore, i think the problem must be a resource or a limit issue. I believe somehow the basesearch or the post process search cuts the job in the middle of the search.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...