Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting inconsistent results when using a different search date range for the same record in Splunk 4.3.2?

ronyabar
New Member
‎08-31-2014 06:12 AM

Hi
While running a search for a specific record in a specific date (tagged as WT_vt_sid) i get one result with value for field WT_mc_id , but when i search for a date range where this record exists i get that record but without the value even though it exists on the raw data and tagged properly.
for example:
2014-06-18 23:32:07 10.222.64.1 - www.test.co.il GET /Internet/Pages/Upgrade/net.aspx utm_source=reshet&utm_medium=video&utm_campaign=upgrade&WT.mc_id=reshet-video-upgrade&WT.vt_sid=10.236.64.1-2228845616.30378829.1403134327WT.co_f=10.222.64.1-2228456616.3037429

I expect to get the value "reshet-video-upgrade" for field WT_mc_id but i get it only when i search the specific visitor(vt_sid). or sometimes when record amount is smaller (e.g.: when i narrow the search for only records with mc_id like "video" )
Splunk version is 4.3.2

Tags (3)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-03-2014 08:01 AM

First option : if this is a timestamp issue
Your data seems to be in GMT
1403134327 epoch matches the date in the first line : 2014-06-18 23:32:07

to verify that the event is in the time range you expect, please run a search like

"*10.236.64.1-2228845616.30378829.1403134327*" | table _time date_zone _raw

Second option : if this is a field extraction issue
by example there is not & separator between WT.vt_sid, oabd WT.co_f
and you have a mix of separators : , & _ -

Remember that fields names can only contain letters, numbers and underscore.
if you want to verify what is extracted check the fields available.

<mysearch> | table "WT*" "*_*" _raw

Finally do a manual field extraction.

<my search> | rex "WT.mc_id=(?<WT_mc_id>[^&]*)" | rex "WT.vt_sid=(?<WT_vt_sid>[\d\.-]*)" | table WT_mc_id WT_vt_sid

0 Karma
Reply
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...