Splunk Search

Why results are not same when the query is executed for a large time range

gndivya
Explorer

I have a query which is using streamstats, eventstats, stats, and transaction (trying to achieve brute force attack logic). It displays the search results when I give the proper date range (from 05/12/2020 at 17:30:00 to 05/12/2020 at 17:35:00 which is just 5 mins). But the same search doesn't provide me with the same search result but produces another search result when the date range is given like from 05/12/2020 at 17:20:00 to 05/12/2020 at 17:45:00 which is near to 25 mins.
Please let me know why this happens?

Query used is.

index=wineventlog_sec* tag=authentication (action=success OR action=failure)
| table _time user dest EventCode action
| sort 0 user _time dest
| streamstats count as attempts by action user dest reset_on_change=true
| streamstats count(eval(attempts=1)) as sessions by user dest
| eventstats count as max_attempts by sessions user dest
| eval success_session=(sessions-1)
| eventstats max(eval(case(match(action,"failure") AND attempts=1 AND max_attempts>50 ,_time))) as lastFailed max(eval(case(match(action,"success") AND attempts=1,_time))) as lastSuccess by action user dest success_session
| search attempts=1
| transaction user dest maxspan=1m maxevents=2
| search lastFailed=* AND lastSuccess=*

Tags (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

transaction command may be limited by memory constraints - you have maxspan, but depending on your transaction length - you are using a long transaction time - and whether you have many open events still, you could be hitting memory limits.

This is often a cause for somewhat confusing, non-repeatable behaviour. If you have access to limits.conf, you could play around with the settings to see if that is a possibility.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you describe sounds normal. A longer time window usually will process more events and so produce different results.
How are your results different?

---
If this reply helps you, Karma would be appreciated.
0 Karma

gndivya
Explorer

When the time range is more, the results which I am expecting is not being displayed. Instead some other results are being drawn. But when the time range is very specific, I am able to get the results which I am expecting.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is it possible your expectations are incorrect? Could you be more specific about expected and actual results in each case?

---
If this reply helps you, Karma would be appreciated.
0 Karma

gndivya
Explorer

If my expectations are incorrect, then the same result should be displayed even though the time range is larger. But that is not happening in my case. Narrow time range actual results, expand the time range, no results. How to mitigate this?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...