Result differences?

tinylund · ‎10-14-2016

Fairly new to Splunk and I am trying to understand the reason for the difference in results and search time for the following:

Created an extracted field for a Windows log - WinTempFieldType

When I run a search for: WinTempFieldType=Error
Search takes seconds, less that a full minute and finds less than 100 results

When I run a search for: WinTempFieldType=* | search WinTempFieldType=Error
Search takes 15 minutes and finds 5,000+ results

I ran across this, because I have a report that has a table that I based off the following search: WinTempFieldType=* | stats count WinTempFieldType | sort -count | table WinTempFieldType count

When the report ran the table showed the WinTempFieldType row with Error and a count over 5,000 - but when I clicked on the error cell to drill down, the pending search only showed less than 100 results. So that is when I tried to manually replicate the issue and got the same results. Now I am just trying to understand WHY?

tinylund · ‎10-14-2016

I understand that

WinTempFieldType=* | search WinTempFieldType=Error

is a search within a search and would take longer...and I'm really not concerned with time, the number of results found is the most important, by is there such (any) difference.

Result differences?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Result differences?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!