Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting inconsistent results when using a different search date range for the same record in Splunk 4.3.2?

ronyabar
New Member
‎08-31-2014 06:12 AM

Hi
While running a search for a specific record in a specific date (tagged as WT_vt_sid) i get one result with value for field WT_mc_id , but when i search for a date range where this record exists i get that record but without the value even though it exists on the raw data and tagged properly.
for example:
2014-06-18 23:32:07 10.222.64.1 - www.test.co.il GET /Internet/Pages/Upgrade/net.aspx utm_source=reshet&utm_medium=video&utm_campaign=upgrade&WT.mc_id=reshet-video-upgrade&WT.vt_sid=10.236.64.1-2228845616.30378829.1403134327WT.co_f=10.222.64.1-2228456616.3037429

I expect to get the value "reshet-video-upgrade" for field WT_mc_id but i get it only when i search the specific visitor(vt_sid). or sometimes when record amount is smaller (e.g.: when i narrow the search for only records with mc_id like "video" )
Splunk version is 4.3.2

Tags (3)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-03-2014 08:01 AM

First option : if this is a timestamp issue
Your data seems to be in GMT
1403134327 epoch matches the date in the first line : 2014-06-18 23:32:07

to verify that the event is in the time range you expect, please run a search like

"*10.236.64.1-2228845616.30378829.1403134327*" | table _time date_zone _raw

Second option : if this is a field extraction issue
by example there is not & separator between WT.vt_sid, oabd WT.co_f
and you have a mix of separators : , & _ -

Remember that fields names can only contain letters, numbers and underscore.
if you want to verify what is extracted check the fields available.

<mysearch> | table "WT*" "*_*" _raw

Finally do a manual field extraction.

<my search> | rex "WT.mc_id=(?<WT_mc_id>[^&]*)" | rex "WT.vt_sid=(?<WT_vt_sid>[\d\.-]*)" | table WT_mc_id WT_vt_sid

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...