Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting different results in verbose mode versus fast mode joining two sourcetypes with one source limited to today's data?

bfernandez
Communicator
‎04-17-2015 03:14 AM

I am trying to join two sourcetypes with a common field (ID). The problem occurs when I tried to limit one source to today's indexed data. If I execute the search in “fast mode” it applies index-time filter to both sources, but if I execute it in “verbose” it applies correctly to only one source. It works in both modes without index-time filter.

Search example over the last month:

(sourcetype=source1 _index_earliest=-d@d _index_latest=now) OR (sourcetype= source2) | stats first(fieldsource1), first(field source2) by ID

Using Splunk 6.2.2 – 255606 over Centos x64

0 Karma
Reply

khourihan_splun
Splunk Employee
Splunk Employee
‎08-08-2015 10:00 AM

What index time filter are you talking about? earliest= latest=?

those usually go at the end, but I don't think that matters.

i.e. sourcetype=source1 OR sourcetype= source2 earliest--1d@d | stats first(fieldsource1), first(fieldsource2) by ID

and I am assume your problem is that you are not discovering your fields (fieldsource1,fieldsource2 or ID) ?

If that assumption is true, it could be b/c you are running a transforming search (i.e. stats) and that causes the search to run in fast mode.

from: http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/WhenSplunkEnterpriseaddsfields

Splunk Enterprise discovers fields other than default fields and fields explicitly mentioned in the search string only when you:

run a non-transforming search in the Smart search mode.
run any search in the Verbose search mode.

transforming search: A type of search command that orders the results into a data table. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes. Searches that use transforming commands are called transforming searches.

Transforming commands include chart, timechart, stats, top, rare, contingency, and highlight.

So I'd recommend you use a rex command to extract the fields you want, and test abd see if that works. If so, you could then permanently set it via EXTRACT's in the sourcetype's transforms.conf file.

I am not sure if you set the search mode to smart in the GUI if that will work, but the way I suggest is more efficient for you long-term.

Hope that help,
Cheer,
Kyle

0 Karma
Reply

woodcock
Esteemed Legend
‎08-08-2015 09:42 AM

I would definitely open a support case on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...