Scheduled search returns different results

jrfreeze · ‎04-11-2019

There are two ways users can register for our site and I'm trying to track how many registered in the last quarter. When I run this search manually, it catches all the results from both sources. When it runs as scheduled search, the normal way it will be used for the dashboard, it only catches the results from the second one (meaning the second rex line). When I reverse the order of the rex commands, I get the results from the other one.

host="our.host.com" ("Attempting new user registration" OR "Creating local user record") |
rex "\'username\':\s+u\'(?[\w\d_]+)\'" |
rex "Creating local user record for \"(?[\w\d_]+)\"" |
stats dc(newuser) AS "New Users"

Any thoughts?

jrfreeze · ‎04-12-2019

Well, I figured out a solution to my problem, although it isn't especially elegant. I put in a sed command changing one text match into the other and just counted that one:

host="our.host.com" ("Attempting new user registration" OR "Creating local user record")
| rex mode=sed "s/\'username\':\s+u\'([\w\d_]+)\'/Creating local user record for \"\1\"/"
| rex "Creating local user record for \"(?[\w\d_]+)\""
| stats dc(newuser) AS "New Users"

Now I get the same results whether I run the search directly or it runs on a schedule as I would expect.

Scheduled search returns different results

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...