Splunk Search

Why does searching fields in a summary index generate single value fields that have two identical values?

Xisor
Explorer

Hey folks,

I'm looking at a summary index that's being generated through the Splunk Web (e.g. the source is being set to the savedsearch's name, into an index selected right at the bottom of Splunk Web for the saved search).

We're plugging in plenty of data, and it's ticking along nicely. The search command is basically this:

index=raw_index_with_stuff source=specific_alpha 
| stats avg(field_a) AS field_a avg(field_b) AS field_b avg(field_c) AS field_c by host
| rename host AS hostname

Nothing too complicated.

The events in the summary index similarly look right. E.g.:

01/09/2017 11:55:00 -0500, search_name="Summary_Stuff_5m", search_now=1483981500.000, info_min_time=1483980900.000, info_max_time=1483981200.000, info_search_time=1483981502.975, field_a=1.000 field_b=1.921 field_c=1.114 hostname=laptop1701a

Now, my problem is looking at the fields. If we do a simple query like:

index=summary_index_with_stuff source=Summary_Stuff_5m
| timechart avg(field_a) by hostname

It doesn't generate results. (It's also averaging averages, which is somewhat dubious, I know.)

Clicking on the events that feed into that (e.g. into the events tab), we see all the individual events properly summarised, as above, which leaves me scratching my head as to why that's the case.

When I click on an individual event (the > under the i column), we get closer to the heart of the issue:
image showing the crux of the problem

A colleague of mine suggests this could be the result of the summarising search running twice - but that would surely generate two identical events, not an event with identical values in what should be single valued fields?

My suspicion is that it could be interplay with a field extraction (or similar)? (As it looks, to me, like certain fields have been extracted twice), but beyond 'a field extraction' (there are many), I'm currently stumped as to what I'm looking for.

0 Karma
1 Solution

somesoni2
Revered Legend

Your summary index search and data looks good. It seems more to me like a field extraction issue where Splunk has tried to extract the field twice and causing the field to be a multivalued field. Since summary index writes in key-value fashion, you don't need any explicit field extractions. Check if anything is setup for your source.

View solution in original post

somesoni2
Revered Legend

Your summary index search and data looks good. It seems more to me like a field extraction issue where Splunk has tried to extract the field twice and causing the field to be a multivalued field. Since summary index writes in key-value fashion, you don't need any explicit field extractions. Check if anything is setup for your source.

Xisor
Explorer

Good shout, somesoni2.

Looking in the transforms, we found:
transforms
[Summary_Stuff_5m]
DELIMS = ",", "="
CAN_OPTIMIZE = false
MV_ADD = true
CLEAN_KEYS = false

And I think it was that MV_ADD line that was the trouble. Testing it out in dev, it transpired to be the case. We think this'd been set inadvertently previously, and moving to MV_ADD = false looks to have entirely resolved the issue.

Huge thanks for everyone's input!

DalJeanis
Legend

I'd start with this -

index=summary_index_with_stuff source=Summary_Stuff_5m | head 5 | eval mytime = _time| table mytime field_a hostname

Are there results for that? If not, then one of the required fields is missing for "timechart avg(field_a) by hostname". The timechart command depends on the _time. Is it present in your summary index?

0 Karma

Xisor
Explorer

Good shout, but it's more than that. So the search:
index=summary_index_with_stuff source=Summary_Stuff_5m
| head 5
| eval mytime = _time
| table mytime "Bytes_Received/sec" hostname

That 'properly' yields results:
mytime || field_a || hostname
1484039400 || 0.000000, 0.000000 || WS4HECC4, WS4HECC4
1484039400 || 0.000000, 0.000000 || WS4HECA2, WS4HECA2
1484039400 || 52.590353, 52.590353 || WS4ALAR8, WS4ALAR8
1484039400 || 1.093472, 1.093472 || WR8YX2KC,, WR8YX2KC
1484039400 || 2.613286, 2.613286 || WR8WX02V, WR8WX02V

Except that field_a & hostname are duplicate values.

0 Karma

DalJeanis
Legend

You can use mvdedup to kill the extra values, but that doesn't account for why they're there in the first place. The link posted by rjthibod looks like a good place to start.

0 Karma

rjthibod
Champion

It might be helpful if you shared the configuration in savedsearches.conf that is generating the summary data. Those details might be helpful.

Also, what kind of environment are you running: Clustered or standalone?

0 Karma

Xisor
Explorer

Cheers, this is a clustered environment.

On one of the dedicated 'job' search heads (not used for ad-hoc searches, only scheduled ones) is where this savedsearches.conf piece lives:

[Summary_PerfmonMK:Redirector_5m]
action.email.useNSSubject = 1
action.summary_index = 1
action.summary_index._name = stuff_wks_summary
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */5 * * * *
enableSched = 1
realtime_schedule = 0
schedule_window = 1
search = index=stuff_wks_perfmon sourcetype="PerfmonMK:Redirector" earliest=-10m@m latest=-5m@m | stats \
avg(Bytes_Received/sec) as Bytes_Received/sec \
avg(Bytes_Total/sec) as Bytes_Total/sec \
avg(Bytes_Transmitted/sec) as Bytes_Transmitted/sec \
avg(Current_Commands) as Current_Commands \
avg(File_Data_Operations/sec) as File_Data_Operations/sec \
avg(File_Read_Operations/sec) as File_Read_Operations/sec \
avg(File_Write_Operations/sec) as File_Write_Operations/sec \
avg(Network_Errors/sec) as Network_Errors/sec \
avg(Reads_Denied/sec) as Reads_Denied/sec \
avg(Server_Disconnects) as Server_Disconnects \
avg(Server_Sessions_Hung) as Server_Sessions_Hung \
avg(Writes_Denied/sec) as Writes_Denied/sec by host | rename host as hostname

As you see, it's perfmon and pretty straight forward.

All of those fields generated are duplicated, so too is info_max_time, info_min_time, info_search_time, search_name, search_now, and hostname (as mentioned before).

This occurs both on the regular clustered search heads (that live behind a load balancer) and also on the job search heads (breaking my own rules and doing an ad-hoc search on them gets the same results).

0 Karma

rjthibod
Champion

Since you are not using the summary indexing transforming commands (e.g., sistats), I think you might need to use addinfo and collect in your search. This is based on the guidance here http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Configuresummaryindexes#Search_commands_....

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...