Why do these searches yield such different results...

csyvenky · ‎05-29-2018

index="xyz" "a.b.c.d"=xyz
| chart count by a.b
Yields 232 results.

In order to get field names that are more reasonable, I tried the following:

index="xyz"
| xmlkv
| search a=xyz
| chart count by xyz
| sort - count
Yields only 204 results.

Why does the search with the sub-search truncate results?

csyvenky · ‎05-30-2018

Doh! I saw that last night and was unable to edit my post accordingly. The chart count is irrelevant to the issue. I'm just pointing out how after the xmllv that I have short/useable field names.

a.b.c.d is an XPATH = element1.element1b.element1c.element1d

after the xmlkv I can simply reference d.

What I should have said was:

index="xyz" "a.b.c.d"=xyz
Yields 232 results.

In order to get field names that are more reasonable, I tried the following:

index="xyz"
| xmlkv
| search d=xyz
Yields only 204 results.

dflodstrom · ‎05-30-2018

Is "a.b.c.d" a field and "a.b" another field? In the second search you are saying search for a field, "a", with the value "xyz" and then you're counting by that value, "xyz" again. I think your example isn't reflecting what you're actually doing.

Why do these searches yield such different results?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!