Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Post processing gives incorrect results

Kaand
Explorer
‎10-01-2020 07:56 AM

Hello Everyone,

I am new to the splunk and this community. I have searched everyone for my problem but i could not figure out what is wrong. Basically i am using base search and post process search for a dashboard.  My base search is something like this:

 

 

<search id="basesearch1">
<query>index=index1 | fields field1, field2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>

 

 

my second base search that uses first base search:

 

 

<search base="basesearch1" id="basesearch2">
<query>search field1=value1</query>
</search>

 

 

and finally the post process search is:

 

 

<search base="basesearch2">
<query>stats count(field1) as count by field2 | sort -count | head 5</query>
</search>

 

 

When i apply it as a single search query like this there is no problem:

 

 

index=index1 | fields field1, field2 | search field1=value1 | stats count(field1) as count by field2 | sort -count | head 5

 

 

however, in the dashboard the count numbers does not match with the above search query. I used 2 base searches because in the same dashboard, I need to use basesearch1 and basesearch2 in different panels as well. 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2020 02:51 PM

See the best practices section about non transforming base searches here

https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches

as your example searches are non transforming, it may be that you are not returning fields from the second base search.

Try adding the same | fields statement you have in your first example.

However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.

 

Reply
Solved! Jump to solution

Kaand
Explorer
‎10-01-2020 11:01 PM

Actually if a merge basesearch1 and 2 into one basesearch and use the postprocess after that, the result i get from the post process is fairly similar to the results i get from the search without basesearch (but not the same).  Therefore, i think the problem must be a resource or a limit issue. I believe somehow the basesearch or the post process search cuts the job in the middle of the search.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...