Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Post processing gives incorrect results

Kaand
Explorer
‎10-01-2020 07:56 AM

Hello Everyone,

I am new to the splunk and this community. I have searched everyone for my problem but i could not figure out what is wrong. Basically i am using base search and post process search for a dashboard.  My base search is something like this:

 

 

<search id="basesearch1">
<query>index=index1 | fields field1, field2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

 

 

my second base search that uses first base search:

 

 

<search base="basesearch1" id="basesearch2">
<query>search field1=value1</query>
</search>

 

 

and finally the post process search is:

 

 

<search base="basesearch2">
<query>stats count(field1) as count by field2 | sort -count | head 5</query>
</search>

 

 

When i apply it as a single search query like this there is no problem:

 

 

index=index1 | fields field1, field2 | search field1=value1 | stats count(field1) as count by field2 | sort -count | head 5

 

 

however, in the dashboard the count numbers does not match with the above search query. I used 2 base searches because in the same dashboard, I need to use basesearch1 and basesearch2 in different panels as well. 

Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

Reply
Solved! Jump to solution

Kaand
Explorer
‎10-01-2020 11:01 PM

Actually if a merge basesearch1 and 2 into one basesearch and use the postprocess after that, the result i get from the post process is fairly similar to the results i get from the search without basesearch (but not the same).  Therefore, i think the problem must be a resource or a limit issue. I believe somehow the basesearch or the post process search cuts the job in the middle of the search.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...