Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Result differences?

tinylund
Explorer
‎10-14-2016 06:30 AM

Fairly new to Splunk and I am trying to understand the reason for the difference in results and search time for the following:

Created an extracted field for a Windows log - WinTempFieldType

When I run a search for: WinTempFieldType=Error
Search takes seconds, less that a full minute and finds less than 100 results

When I run a search for: WinTempFieldType=* | search WinTempFieldType=Error
Search takes 15 minutes and finds 5,000+ results

I ran across this, because I have a report that has a table that I based off the following search: WinTempFieldType=* | stats count WinTempFieldType | sort -count | table WinTempFieldType count

When the report ran the table showed the WinTempFieldType row with Error and a count over 5,000 - but when I clicked on the error cell to drill down, the pending search only showed less than 100 results. So that is when I tried to manually replicate the issue and got the same results. Now I am just trying to understand WHY?

Tags (1)
0 Karma
Reply

tinylund
Explorer
‎10-14-2016 10:36 AM

I understand that

WinTempFieldType=* | search WinTempFieldType=Error

is a search within a search and would take longer...and I'm really not concerned with time, the number of results found is the most important, by is there such (any) difference.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...