- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why do less events display while searching as * th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Less Event displayed while searching as * then search hostname while its showing if I search at the beginning with hostname
Please suggest why it is misbehaving and what is the Solution for this to get all events .
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AKBBB,
the problem is that in the first search you used the Caption=FREQSAPP150 conditiopn before a dedup command in the second after it.
This means that some of the results coulbe be eliminated by the dedup.
In addition you have two dedups, why don't use only one?
Anyway SPL best prectices say to put search conditions as left as possible avoinding more search command as you did.
So rebuild you search in this way.
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150 Vendor="*"
| fields _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
| sort Caption _time limit=0
| dedup _time CaptionCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AKBBB ,
pleae share your searches.
Then did you used a fixed time (e.g. yesterday or last hour) or you're using now as latest?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I search by using below SPL
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get 2760 records
while using
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" )
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| search Caption=FREQSAPP150
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get only 3 as below
Complete 5,889 events (1/1/23 12:00:00.000 AM to 2/1/23 12:00:00.000 AM)
| 2023-01-29 15:00:47 | FREQSAPP150 | -1 | 2 | 0 |
| 2023-01-29 16:52:51 | FREQSAPP150 | -1 | 2 | 0 |
| 2023-01-31 19:06:59 | FREQSAPP150 | -1 | 2 | 0 |
problem is here due to this Availaibility from search is coming around 80% and from second its coming 0,
i want understand why its happening
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AKBBB,
the problem is that in the first search you used the Caption=FREQSAPP150 conditiopn before a dedup command in the second after it.
This means that some of the results coulbe be eliminated by the dedup.
In addition you have two dedups, why don't use only one?
Anyway SPL best prectices say to put search conditions as left as possible avoinding more search command as you did.
So rebuild you search in this way.
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150 Vendor="*"
| fields _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
| sort Caption _time limit=0
| dedup _time CaptionCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I search by using below SPL
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) FREQSAPP150
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get 2760 records
while using
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" )
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| search Caption=FREQSAPP150
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get only 3 as below
Complete 5,889 events (1/1/23 12:00:00.000 AM to 2/1/23 12:00:00.000 AM)
| 2023-01-29 15:00:47 | FREQSAPP150 | -1 | 2 | 0 |
| 2023-01-29 16:52:51 | FREQSAPP150 | -1 | 2 | 0 |
| 2023-01-31 19:06:59 | FREQSAPP150 | -1 | 2 | 0 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your first search finds event with FREQSAPP150 anywhere in the event, whereas your second search filters for FREQSAPP150 only being in the Caption field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but 2nd search should return all events which is coming in 1st search
why not getting , please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, up to the point you do this:
| search Caption=FREQSAPP150This removes the events which don't match this criteria.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to use the 2nd search only in whole query of dashboard .
so this logic should work . so cant remove becoz this need to apply on lots of many other server .
In 1st logic if I put Caption=FREQSAPP150 it aslo producing 2760 events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have explained why you are getting fewer results (which was your question, although "misbehaving" is not the right word since it is behaving as you have coded it!). Perhaps it would be better if you explained what it is you are trying to achieve, so we can help you create a search for that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we are calculating % of server availability from the code and 2nd search is part of whole query (from where event discrepancy is there) in this we are searching all events then calculating availability based on each server,
when 0% availability was seen so then I searched putting server in start of query then its resulting availability .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share your two searches and some events which are included and some which are missed.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
