Solved: Why isn't my search showing the full results?

splunker969 · ‎10-09-2017

When I search for this query it shows wrong results ?

When I serach for this query shows full results ?

host=wdc |stats count by host

Any help .

DalJeanis · ‎10-10-2017

According to this answer by @somesoni2, metadata is not time bound.

As such, it is never going to match exactly with numbers you get from the other search.

Here's a quote from the metadata documentation

In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.

View solution in original post

DalJeanis · ‎10-10-2017

According to this answer by @somesoni2, metadata is not time bound.

As such, it is never going to match exactly with numbers you get from the other search.

Here's a quote from the metadata documentation

In small testing environments, the data is complete. However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.

splunker969 · ‎10-10-2017

Thanks @ DalJeanis

lfedak_splunk · ‎10-09-2017

Hey @splunker969, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

splunker969 · ‎10-10-2017

sure , .@ ifedak ,the problem was not resolved .Thanks 🙂

sbbadri · ‎10-10-2017

splunker969 · ‎10-10-2017

@sbbadri No ,results after searching above query ,Thanks @sbbadri

gcusello · ‎10-09-2017

Hi splunker969
did you tried

| metasearch index=* 
| lookup domain.csv host OUTPUT domain datacenter host IP 
| search domain=Y 
| eval age=(now()-recentTime) 
| convert ctime(*Time) 
| append [ |inputlookup domain.csv ] 
| dedup host 
| fields host IP domain datacenter lastTime age totalCount
| sort lastTime

?
Anyway in your search there is something strange: you append a lookup rows (without date/time field) to a search with date/time and then you perform a dedup by host (deleting in this way some results maybe with time and age) and then you sort results by lastTime that it isn't in the lookup, what do you want as result?

Bye.
Giuseppe

splunker969 · ‎10-09-2017

Actually we are trying to right above search with logging list and not logging list to be in same list .So we used that above search.

splunker969 · ‎10-10-2017

Thanks @ cusello

DalJeanis · ‎10-09-2017

When you coded this...

| lookup domain.csv host output domain datacenter host IP

I suspect you may have meant this...

| lookup domain.csv host OUTPUT domain datacenter host IP

splunker969 · ‎10-09-2017

I dont see any change after changing Capital OUTPUT .

splunker969 · ‎10-09-2017

Iam not sure why the metadata search is not showing full results .

Why isn't my search showing the full results?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?