Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are the events dropping from the search (subsearch used)?

byu168
Path Finder
‎02-27-2018 11:50 AM

I'm using the below search to grab a list of tag_values from one index and use it as a subsearch on another index. I'm finding not all events are getting picked up though. The subsearch returns 140 results so it's not a limitation on that end. With the subsearch I don't pick up all the messages I'm looking for for each run (e.g. I get 7 results returned for "DVT ready" but there should be a message for each). Is the event dropping related to how many events are being searched in the pipeline_logs index? This is being run over the past week also

((index=pipeline_logs AND (geniaComplete.flag OR "DVT ready" OR "acap branch path setup" OR "oc-cal job" OR "downloading raw data" OR "oc-cal ACAP processing" OR "Multichunk processing complete" OR "annotations upload to GCS" OR "SGE driver started" OR "transfer complete for all banks")) [search index=cumulus1 source=mysql-runs sourcetype=run_analysis AND analysis_type=reanalysis NOT pct_cells_sampled=10.0 NOT run_group="*HTP*" | eval tag_value=mvindex(split(file_name,"."),1) | table tag_value ])
0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2018 02:46 PM

The subsearch have limitation on the execution time as well, apart from number of rows returned. (see link below). It could be possible that the subsearch is auto finalized due to longer processing time. Do you see any message in the job dropdown (below search bar) regarding your subsearch?

https://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Aboutsubsearches#Subsearch_performance_con...

0 Karma
Reply

byu168
Path Finder
‎02-27-2018 03:20 PM

It doesn't seem to be an execution time limit. Running the entire search only takes 10 seconds.

My title may have been off. Events may not be being dropped during the subsearch but on the entire search. For some tag_values I get 2/10 messages even though all messages exist

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...