Splunk Search

Why scheduled search with "stats first()" returns different results from running it from the search bar and how to fix this?

Path Finder

Hi,

I'm currently setting up an aggregation via a scheduled search. Running the query for this in the search bar obtains the expected results, however, some of the parameters are sometimes off when scheduled.

This is the query:

udid!="" index="index_here"  | eval search_name="search" | addinfo | eval search_day=strftime(info_max_time,"%Y/%m/%d") | stats count(eval(action=="page_view")) AS page_view_count  first(gender) AS gender first(age) AS age first(is_registered) AS is_registered by udid | stats count by is_registered

What appears to not be working is the "first(is_registered)" as well as the others of this type. However, it works perfectly in the search bar, so how can this be fixed? It's as if this command is treated differently from the saved search.

1 Solution

Motivator

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

View solution in original post

Motivator

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

View solution in original post

Path Finder

I figured this out finally as well, as it was the issue thanks.

I am curious to know why the search process for saved searches treats this differently from a standard query in the search bar, it is searching multiple buckets at once or something along those lines to be more efficient?

0 Karma

Motivator

Thats a good question, I don't actually know. I just tend to use earliest() and latest() because that's my intent anyway.

0 Karma