Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Understanding collect and savedsearch

zacksoft_wf
Contributor
‎12-23-2021 05:13 AM

There is a SPL search, ending with stats that generates 300 events.
Now that Search, lets call it "SEARCH-1" is saved as a 'saved search', and in the 'saved-search' one extra line is added, i.e.
| collect index=sec_apps_summary source="savedSearch_1d"
And earliest , latest setting as -1@d and @d  .
There is another SEARCH-2, that invokes the 'saved search' and the SPL starts like,
| index=sec_apps_summary source="savedSearch_1d" ....

What confuses me is, SEARCH-1 and SEARCH-2 should show same count of result, but I see 300 events for SEARCH-1 and very less 16 events for SEARCH-2.
I suspect something about the way the 'saved search' is utilized , I quite don't understand the difference in result.  Any idea , why ?


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 05:32 AM

SEARCH-2 does NOT invoke SEARCH-1.

SEARCH-1 performs a search, produces some results, and then writes those results to the sec_app_summary index.

SEARCH-2 reads the sec_app_summary index for all events written by SEARCH-1.

I hope that clears up some of the confusion.  I can't explain why SEARCH-1 writes 300 results, but SEARCH-2 only finds 16.  Perhaps that's related to time window or some aspects of the searches that weren't shared.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 05:32 AM

SEARCH-2 does NOT invoke SEARCH-1.

SEARCH-1 performs a search, produces some results, and then writes those results to the sec_app_summary index.

SEARCH-2 reads the sec_app_summary index for all events written by SEARCH-1.

I hope that clears up some of the confusion.  I can't explain why SEARCH-1 writes 300 results, but SEARCH-2 only finds 16.  Perhaps that's related to time window or some aspects of the searches that weren't shared.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...