Splunk Search

Why do more events appear when using OR as opposed to searching indexes seperately?

russell120
Communicator

Hi,

When I run index=wineventlog earliest=-5s@s latest=now the results are 35k events. When I run sourcetype=mySourceType earliest=-15m@m latest=now the results are 2k events. Both searches take only 10 or so seconds.

But when I run (index="wineventlog" earliest=-5s@s latest=now) OR (sourcetype="mySourceType earliest=-15m@m latest=now) the search will run for 60seconds, search through 1.5million events and will only be 0.29% complete at the 60 second mark (according to the job inspector). The time picker is set to All Time (I'm assuming having time modifiers in the query will have the time picker be ignored).

Why is that? My ultimate goal is to search 3 indexes together overnight with OR, and without using a subsearch (due to subsearch time limitations set by admins).

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Few things here. Your search modifier is referencing relative time via now so you will get different results every time you run this since you don't have an absolute time set. Change your earliest and latest to absolute epoch time values then do the compare. Next, there is a difference between AND and OR in Splunk. You should look at what sourcetypes are in that wineventlog index and how many indexes are using that additional sourcetype.

0 Karma

maciep
Champion

hmm...i've always assumed that you can only have one earliest/latest...just like you can only choose one timeframe in the picker. I wonder if splunk sees two defined, doesn't know what to do and uses the timepicker. Maybe set the timepicker to 30 minutes and confirm whether that does get used...you don't need to confirm with All Time only.

So your goal is to search the 3 indexes over different time periods? Trying to understand the example of 5s & 15min versus the goal of "overnight".

And probably not super efficient either, but in your example you could search both over 15m and then filter for only wineventlog events in the past 5s. It's ugly, but if you can't use append and they have to be separate ranges, it's one thing that comes to mind.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...