Splunk Search

Why does the same search produce different results?

New Member

I am automating a report.
So for that i use 4 dump CSV files whose names i don't change. When i used to change the dump i used to 'delete' the earlier source and upload the new one with the same name in the search app. I had another app installed which uses this search and the process worked fine until recently when i uploaded new data.

To elaborate.

for the below query

source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 2 Tickets By RunFactory" |append [search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv"  Internal_Team = "*" |  eval / = "Tier 2 Tickets"]  | append [ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 1.5 Tickets by RunFactory" ] | append [ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | eval / = "Tier 1.5 Tickets" ] | chart count by /, Internal_Team | addtotals

i get count of tier 2 as 3800 odd events

and when i do

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv"  Internal_Team = "*" 

it gives me count as 3335 which is the correct one

this happens within my installed app and in the searching app too.

whats wrong?

0 Karma
1 Solution

Revered Legend

In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.

This should give 3335

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count

This should give 3800

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count by Internal_Team | stats sum(count) as count

View solution in original post

Revered Legend

In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.

This should give 3335

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count

This should give 3800

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count by Internal_Team | stats sum(count) as count

View solution in original post

New Member

this was indeed the case. The field internal tea was extracted from a lookup file and that file had duplicate values reesulting in multivalued fields for some events. Hope this helps someone else. 🙂

0 Karma

SplunkTrust
SplunkTrust

When you post code, be sure to mark it as code (the button with 101 010 on it). That way, the web interface won't cause stuff in angle brackets < > to disappear, and wont use asterisks for an instruction to make the words bold or italic.


I suspect that the answer is something having to do with propagation of the file, so I'd be looking for a way for you to test with local=true. Meanwhile, here's an experiment you can try -


Try this and see if you get any Tier 2 -- you should get zero -

source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
|eval / = "Tier 2 Tickets By RunFactory" 
|append 
    [search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    | eval / = "Tier 2 Tickets" | where 1!=1] 
| append 
    [ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    |eval / = "Tier 1.5 Tickets by RunFactory" ] 
| append 
    [ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    | eval / = "Tier 1.5 Tickets" ] 
| chart count by /, Internal_Team 
| addtotals

If you got any tier two results, they have to be coming from one of the other files, which shouldn't be possible, but it's interesting...

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!