I have the main search returning results appropriately in the "Events" tab however, visualization returns incorrect graphs/counts. I have a similar issue with my intended sub search below. Essentially I am trying to find/make a list of 'hostname's in the sub search and then compare that to the main search to see what applications are installed on those hostnames. I have to normalize columns to read 'hostname' and ignore some fields.
index=test_assets source="C:\\Splunk Test Assets\\SCEP.csv" OR source="C:\\Splunk Test Assets\\McAfee.csv" OR source="C:\\Splunk Test Assets\\DG-Windows.csv" OR source="C:\\Splunk Test Assets\\DG-Mac.csv" OR source="C:\\Splunk Test Assets\\PGP.csv" NOT "Windows Server 2008 R2 Standard" | rename "HostName" as hostname | rename "System Name" as hostname | rename name as hostname | rename "Host Name" as hostname | rename MACHINE_NAME as hostname | replace "C:\Splunk Test Assets\SCEP.csv" with SCEP IN source | replace "C:\Splunk Test Assets\McAfee.csv" with McAfee In source | replace "C:\Splunk Test Assets\DG-Windows.csv" with DG In source | replace "C:\Splunk Test Assets\DG-Mac.csv" with DG IN source | replace "C:\Splunk Test Assets\PGP.csv" with PGP IN source | chart count over hostname by source
This is the sub search (below) that I am trying to mine for hostnames to compare to the main search (above) .
The sub search returns an appropriate number of entries in the "Events" tab for "source" however when I go to visualization, the graphs are not representative of the counts I see in the "Events" tab.
index=test_assets source="C:\\Splunk Test Assets\\WSUS.csv" OR source="C:\\Splunk Test Assets\\Altiris_hostnames.csv" OR source="C:\\Splunk Test Assets\\mac-AD.csv" NOT "System Type"=Virtual NOT "System Type"="Thin Client" NOT "Operating System"="Windows Server 2003 Standard Edition" NOT "Operating System"="Windows Server 2003 Standard x64 Edition" NOT "Operating System"="Windows Server 2008 R2 Standard Edition" NOT "Operating System"="Windows Server 2008 Standard Edition (full installation)" NOT "Operating System"="Windows 2000 Datacenter Server" NOT "Operating System"=Linux NOT "OS Name"=AIX NOT "OS Name"=AIX5L NOT "OS Name"=CentOS NOT "OS Name"=HP-UX NOT "OS Name"="HP-UX 11i v1" NOT "OS Name"=Linux NOT "OS Name"="Red Hat Enterprise Linux" NOT "OS Name"="Red Hat Linux" NOT "OS Name"=SunOS NOT "OS Name"="SUSE Linux" NOT "OS Name"="SUSE Linux Enterprise Server" NOT "OS Name"="Ubuntu Linux" NOT "Operating System"=VMWare NOT "OS Name"="Microsoft Windows Server 2003" | rename "System Name" as "hostname" | rename "name" as "hostname" | rename "HostName" as "hostname" | rename "Host Name" as "hostname" | rename MACHINE_NAME as "hostname" | replace "C:\Splunk Test Assets\Altiris_hostnames.csv" with Altiris in source | replace "C:\Splunk Test Assets\WSUS.csv" with Windows-WSUS IN source | replace "C:\Splunk Test Assets\mac-AD.csv" with Mac-WSUS IN source | dedup hostname | chart count over hostname by source
So, two questions then I guess. Why are the source counts in the events tab not matching up and how to I join the second search as a sub search.
Resolved this with 'append' and not appendcols as I had been using.
could you paste some sample output you get from search/subsearch that you see in events tab?