Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Post processing gives incorrect results

Kaand
Explorer
‎10-01-2020 07:56 AM

Hello Everyone,

I am new to the splunk and this community. I have searched everyone for my problem but i could not figure out what is wrong. Basically i am using base search and post process search for a dashboard.  My base search is something like this:

 

 

<search id="basesearch1">
<query>index=index1 | fields field1, field2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

 

 

my second base search that uses first base search:

 

 

<search base="basesearch1" id="basesearch2">
<query>search field1=value1</query>
</search>

 

 

and finally the post process search is:

 

 

<search base="basesearch2">
<query>stats count(field1) as count by field2 | sort -count | head 5</query>
</search>

 

 

When i apply it as a single search query like this there is no problem:

 

 

index=index1 | fields field1, field2 | search field1=value1 | stats count(field1) as count by field2 | sort -count | head 5

 

 

however, in the dashboard the count numbers does not match with the above search query. I used 2 base searches because in the same dashboard, I need to use basesearch1 and basesearch2 in different panels as well. 

Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

Reply
Solved! Jump to solution

Kaand
Explorer
‎10-01-2020 11:01 PM

Actually if a merge basesearch1 and 2 into one basesearch and use the postprocess after that, the result i get from the post process is fairly similar to the results i get from the search without basesearch (but not the same).  Therefore, i think the problem must be a resource or a limit issue. I believe somehow the basesearch or the post process search cuts the job in the middle of the search.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...