Splunk Search
Highlighted

Why is the same search query used before & after the appendcols command producing different results in those 2 columns?

Explorer

When I run "index=abc | table bytes | head 10", it returns:
bytes
1665
1369
2252
893
3920
356
1803
1718
2833
533

However, when I run:

index=abc | table bytes | head 10 | appendcols [search index=abc | table bytes | head 10 | rename bytes as ok ]

RESULTS TABLE:
bytes ok
1665 1665
1369 1369
2252 3825
893 2194
3920 2673
356 1659
1803 1808
1718 1206
2833 226
533 3973

Those 2 columns are expected to be the same but the results show that they are different.
Anyone know why?

0 Karma
Highlighted

Re: Why is the same search query used before & after the appendcols command producing different results in those 2 columns?

Path Finder

try adding, to both queries:

| sort -$field | head...

As 'head', I think will just skim the first results it comes across, not sure why these would be different, but this forces splunk to follow the ordering.