Splunk Search

What is the distinction between "events" versus "results"?

LukeMurphey
Champion

I hear people talk about the difference between "events" and "results" in Splunk. What is the exact difference and why should I care?

Tags (1)
0 Karma
1 Solution

LukeMurphey
Champion

What are events?
Events are the original, raw entries that Splunk has indexed. You would see events coming out of the following search:

* | head 10

What are results?
In Splunk terminology, "results" are the output after transforming commands are executed. These are not considered events anymore (in Splunk terms) because they have been processed by search commands. You would get results as opposed to events from the following search:

* | head 1000 | stats count by sourcetype

Note that the output from the above search is no longer the original events but a table that was computed from the original events. The sourcetypes in the output came from events but they no longer map to a particular event. Splunk calls these "results".

Why should I care?
People oftentimes come across the difference between "results" and "events" when they attempt to use Splunk APIs to run searches. You would need to use a different REST endpoint to obtain the output of a search with a transforming command (such as "stats") than you would use for one that exposes events.

Consider the following example:

Start by running the following search in verbose mode within the Search app:

index=_internal sourcetype=splunk OR sourcetype-splunkd_ui_access | head 10 | stats count by sourcetype

You will see the "results" if you click the "Statistics" tab in Splunk. In my case, only two sourcetypes matched due to my search filter which is limited to two sourcetypes. Thus there are only two rows on the statistics page.

Now click the "Events" tab. You will see the 10 original events (if you don't, make sure you ran the search in verbose mode).

Now open the job inspector and open the "Search job properties" panel, you will see that the "resultCount" is 2 which aligns with output you saw on the statistics tab. You will also see that "eventCount" is 10 which aligns with the output on the "events" tab.

Results and events are provided via Splunk's REST API from different endpoints. In my case, I would see 10 events from the following REST API (note that I used the SID from the job inspector to make the URL to the REST API):

https://127.0.0.1:8089/services/search/jobs/1533324055.132/events

However, I would see only 2 results from the following endpoint (note that the last part of the URL is "results" not "events")

https://127.0.0.1:8089/services/search/jobs/1533324055.132/results

This is important because you won't get the content you want from the REST API if you use the wrong URL. You may need to have your code make a decision to use /results instead of /events.

View solution in original post

LukeMurphey
Champion

What are events?
Events are the original, raw entries that Splunk has indexed. You would see events coming out of the following search:

* | head 10

What are results?
In Splunk terminology, "results" are the output after transforming commands are executed. These are not considered events anymore (in Splunk terms) because they have been processed by search commands. You would get results as opposed to events from the following search:

* | head 1000 | stats count by sourcetype

Note that the output from the above search is no longer the original events but a table that was computed from the original events. The sourcetypes in the output came from events but they no longer map to a particular event. Splunk calls these "results".

Why should I care?
People oftentimes come across the difference between "results" and "events" when they attempt to use Splunk APIs to run searches. You would need to use a different REST endpoint to obtain the output of a search with a transforming command (such as "stats") than you would use for one that exposes events.

Consider the following example:

Start by running the following search in verbose mode within the Search app:

index=_internal sourcetype=splunk OR sourcetype-splunkd_ui_access | head 10 | stats count by sourcetype

You will see the "results" if you click the "Statistics" tab in Splunk. In my case, only two sourcetypes matched due to my search filter which is limited to two sourcetypes. Thus there are only two rows on the statistics page.

Now click the "Events" tab. You will see the 10 original events (if you don't, make sure you ran the search in verbose mode).

Now open the job inspector and open the "Search job properties" panel, you will see that the "resultCount" is 2 which aligns with output you saw on the statistics tab. You will also see that "eventCount" is 10 which aligns with the output on the "events" tab.

Results and events are provided via Splunk's REST API from different endpoints. In my case, I would see 10 events from the following REST API (note that I used the SID from the job inspector to make the URL to the REST API):

https://127.0.0.1:8089/services/search/jobs/1533324055.132/events

However, I would see only 2 results from the following endpoint (note that the last part of the URL is "results" not "events")

https://127.0.0.1:8089/services/search/jobs/1533324055.132/results

This is important because you won't get the content you want from the REST API if you use the wrong URL. You may need to have your code make a decision to use /results instead of /events.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...