Splunk Search

Why am I getting different results for a search when run on its own versus as a subsearch for a join?

wegscd
Contributor

I'm writing a search to see abnormally high or low levels of traffic from forwarders on a day-to-day basis: getting the previous day's sum of kb, doing an outer join to the previous 7 day's sum of kb.

The interesting issue is that I have part of the search that gives me different results when run inside a join and by itself. This search:

index=_internal source=*metrics.log group="tcpin_connections" earliest="8/20/2015:00:00:00" latest="8/27/2015:00:00:00" 
| stats sum(kb) as pKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as pSh, values(hostname) as pH, dc(sourceHost) as pShC, dc(hostname) as pHC by guid 
| convert ctime(t1) as pT1| convert ctime(t2) as pT2 
| fields pH, pSh, guid, pT1, pT2, pKb, pShC, pHC
| sort pH

gives sensible and seemingly correct values (validated against a pivot and a day-by-day search for the 7 days in question).

This search gives low values for pKb:

index=_internal source=*metrics.log group="tcpin_connections" earliest="8/27/2015:00:00:00" latest="8/28/2015:00:00:00"
| stats sum(kb) as lKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as lSh, values(hostname) as lH, dc(sourceHost) as lShC, dc(hostname) as lHC by guid
| convert ctime(t1) as lT1| convert ctime(t2) as lT2
| fields lH, lSh, guid, lT1, lT2, lKb, lShC, lHC
| join type=outer guid
[search index=_internal source=*metrics.log group="tcpin_connections" earliest="8/20/2015:00:00:00" latest="8/27/2015:00:00:00"
| stats sum(kb) as pKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as pSh, values(hostname) as pH, dc(sourceHost) as pShC, dc(hostname) as pHC  by guid
| convert ctime(t1) as pT1| convert ctime(t2) as pT2
| fields pH, pSh, guid, pT1, pT2, pKb, pShC, pHC
]
| sort lH

Any thoughts as why I am getting different results?

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Joins (all subsearches, actually) are limited and cannot be made unlimited; read about it here:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

View solution in original post

0 Karma

woodcock
Esteemed Legend

Joins (all subsearches, actually) are limited and cannot be made unlimited; read about it here:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

0 Karma

wegscd
Contributor

ok... and it looks like | format maxresults went away sometime after 4.2.3 (I can get by with a limit of 2000....)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...