Hi,
I have an issue whereby if I call a savedsearch from another search I get different results returned when using fast, smart and verbose mode.
If I run the savedsearch as an adhoc search then the results returned from all 3 modes are the same. However, when I call it using |savedsearch KEPM then I get the variation in results between the 3 modes.
Below is the code that is being used and the time frames are absolute.
Base search:
| savedsearch KEPM
| eval Incident=PR_TRIGGER_INCIDENT
| eval Problem=PR_ID
| eval "Problem Created"=PR_CREATED_DATE
| eval KnownError=KE_ID
| eval Priority=case(isnotnull(KE_ID),KE_PRIORITY,isnull(KE_ID),PR_PRIORITY)
| eval Status_unfilt=case(isnotnull(KE_ID),KE_STATUS,isnull(KE_ID),PR_STATUS)
| eval Status=case(like(Status_unfilt,"Deferred%"), null(), like(Status_unfilt,"Closed"), null(), 1=1,Status_unfilt)
| eval Phase=case(isnotnull(KE_ID),KE_PHASE,isnull(KE_ID),PR_PHASE)
| eval "Sub Category"=case(isnull(KE_ID),PR_CATEGORY,isnotnull(KE_ID),KE_CATEGORY)
| eval "Category Area"=case(isnotnull(KE_ID),KE_AREA,isnull(KE_ID),PR_AREA)
| eval Group_unfilt=case(isnotnull(KE_ID),KE_ASSIGNMENT_GROUP,isnull(KE_ID),PR_ASSIGNMENT_GROUP)
| eval Group=case(like(Group_unfilt,"PM - IP"), Group_unfilt, like(Group_unfilt,"PM - Corporate"), Group_unfilt, like(Group_unfilt,"PM - Corporate"), Group_unfilt, like(Group_unfilt,"PM - Security & Firewalls"), Group_unfilt, 1=1,null())
| eval Title=case(isnull(KE_ID),PR_TITLE,isnotnull(KE_ID),KE_TITLE)
| eval Description=case(isnull(KE_ID),PR_DESCRIPTION,isnotnull(KE_ID),KE_DESCRIPTION)
| eval Workaround=case(isnull(KE_ID),PR_WORKAROUND,isnotnull(KE_ID),KE_WORKAROUND)
| eval "Root Cause Else Expected Date"=case(isnotnull(KE_ROOT_CAUSE),KE_ROOT_CAUSE,isnotnull(PR_ROOT_CAUSE),PR_ROOT_CAUSE,isnotnull(PR_ROOT_CAUSE_DATE),PR_ROOT_CAUSE_DATE )
| eval "Solution Else Expected Date"=case(isnotnull(KE_RESOLUTION),KE_RESOLUTION,isnotnull(KE_SOLUTION_DATE),KE_SOLUTION_DATE,isnotnull(PR_SOLUTION_DATE),PR_SOLUTION_DATE)
| eval "Resolution Else Expected Date"=case(isnotnull(PR_CLOSE_CODE),PR_CLOSE_CODE,isnotnull(KE_ID),KE_EXPECTED_RESOLUTION_DATE,isnull(KE_ID),PR_EXPECTED_RESOLUTION_DATE)
| eval Assignee=case(isnotnull(KE_ID),KE_ASSIGNED_TO,isnull(KE_ID),PR_ASSIGNED_TO)
| eval epochevent=strptime(PR_CREATED_DATE, "%Y-%m-%d %H:%M:%S")
| eval epochstart=strptime("2015-08-01 00:00:00.0", "%Y-%m-%d %H:%M:%S")
| eval epochend=relative_time(now(),"@d")
| eval ok= case((epochstart<=epochevent) and isnotnull(Group) and isnotnull(Status), 1, 1=1, 2)
| sort Priority Phase Problem Created
| fields Incident Problem "Problem Created" KnownError Priority Status Phase "Sub Category" Group Title Description Workaround "Root Cause Else Expected Date" "Solution Else Expected Date" "Resolution Else Expected Date" Assignee ok
| where ok=1
Saved search (KEPM):
index=nwks_oss_pm_db sourcetype=dbx_smn1d_smpmadmin_rootcausem1 OR sourcetype=dbx_smn1d_smpmadmin_knownerrorm1
| eval PR_ID=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ID ,null())
| eval KE_ID=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ID ,null())
| fields - ID
| eval PR_CATEGORY=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",PRODUCT_TYPE ,null())
| eval KE_CATEGORY=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",PRODUCT_TYPE ,null())
| fields - PRODUCT_TYPE
| eval PR_AREA=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",SUBCATEGORY ,null())
| eval KE_AREA=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",SUBCATEGORY ,null())
| fields - SUBCATEGORY
| eval PR_ASSIGNMENT_GROUP=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ASSIGNMENT ,null())
| eval KE_ASSIGNMENT_GROUP=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ASSIGNMENT ,null())
| fields - ASSIGNMENT
| eval PR_PRIORITY=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",PRIORITY_CODE ,null())
| eval KE_PRIORITY=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",PRIORITY_CODE ,null())
| fields - PRIORITY_CODE
| eval PR_PRIMARY_CI=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",LOGICAL_NAME ,null())
| eval KE_PRIMARY_CI=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",LOGICAL_NAME ,null())
| fields - LOGICAL_NAME
| eval PR_PHASE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CURRENT_PHASE ,null())
| eval KE_PHASE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CURRENT_PHASE ,null())
| fields - CURRENT_PHASE
| eval PR_STATUS=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",RCSTATUS ,null())
| eval KE_STATUS=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",RCSTATUS ,null())
| fields - RCSTATUS
| eval PR_EXPECTED_RESOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",EXPECTED_RESOLUTION_TIME ,null())
| eval KE_EXPECTED_RESOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",EXPECTED_RESOLUTION_TIME ,null())
| fields - EXPECTED_RESOLUTION_TIME
| eval PR_LAST_UPDATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",UPDATE ,null())
| eval KE_LAST_UPDATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",UPDATE ,null())
| fields - UPDATE
| eval PR_UPDATE_TIME=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",UPDATE_TIME ,null())
| eval KE_UPDATE_TIME=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",UPDATE_TIME ,null())
| fields - UPDATE_TIME
| eval PR_TITLE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",BRIEF_DESCRIPTION ,null())
| eval KE_TITLE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",BRIEF_DESCRIPTION ,null())
| fields - BRIEF_DESCRIPTION
| eval PR_DESCRIPTION=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",DESCRIPTION ,null())
| eval KE_DESCRIPTION=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",DESCRIPTION ,null())
| fields - DESCRIPTION
| eval PR_ROOT_CAUSE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ROOT_CAUSE ,null())
| eval KE_ROOT_CAUSE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ROOT_CAUSE ,null())
| fields - ROOT_CAUSE
| eval PR_CREATED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",OPEN_TIME ,null())
| eval KE_CREATED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",OPEN_TIME ,null())
| fields - OPEN_TIME
| eval PR_CLOSED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CLOSE_TIME ,null())
| eval KE_CLOSED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CLOSE_TIME ,null())
| fields - CLOSE_TIME
| eval PR_REOPENED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",REOPEN_TIME ,null())
| eval KE_REOPENED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",REOPEN_TIME ,null())
| fields - REOPEN_TIME
| eval PR_ASSIGNED_TO=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ASSIGNEE_NAME ,null())
| eval KE_ASSIGNED_TO=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ASSIGNEE_NAME ,null())
| fields - ASSIGNEE_NAME
| eval PR_WORKAROUND=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",WORKAROUND ,null())
| eval KE_WORKAROUND=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",WORKAROUND ,null())
| fields - WORKAROUND
| eval PR_CLOSE_CODE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CLOSURE_CODE ,null())
| eval KE_CLOSE_CODE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CLOSURE_CODE ,null())
| fields - CLOSURE_CODE
| eval PR_SOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",SOLUTIONDATE ,null())
| eval KE_SOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",SOLUTIONDATE ,null())
| fields - AFFECTED_ITEM
| eval PR_SERVICE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",AFFECTED_ITEM ,null())
| eval KE_SERVICE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",AFFECTED_ITEM ,null())
| fields - AFFECTED_ITEM
| rename CLOSED_BY AS KE_CLOSED_BY, ROOTCAUSEDATE AS PR_ROOT_CAUSE_DATE, OPTUS_VENDOR_CASE_NUMBER AS PR_VENDOR_CASE_REF, OPTUS_IFMS_REFERENCE AS PR_TRIGGER_INCIDENT, PARENT_PROBLEM AS KE_TRIGGER_PROBLEM, PROPOSED_SOLUTION AS KE_PROPOSED_SOLUTION
| eval comboID=coalesce(PR_ID,KE_TRIGGER_PROBLEM)
# | stats values(*) as * by comboID
| stats first(*) as * by comboID
| fields KE_ID KE_CATEGORY KE_AREA KE_ASSIGNMENT_GROUP KE_LAST_UPDATE KE_UPDATE_TIMEKE_PRIMARY_CI KE_TITLE KE_DESCRIPTION KE_ROOT_CAUSE KE_CREATED_DATE KE_CLOSED_DATE KE_CLOSED_BY KE_REOPENED_DATE KE_PRIORITY KE_ASSIGNED_TO KE_RESOLUTION KE_WORKAROUND KE_PHASE KE_EXPECTED_RESOLUTION_DATE KE_PROPOSED_SOLUTION KE_TRIGGER_PROBLEM KE_SERVICE KE_SOLUTION_DATE KE_CLOSURE_CODE KE_STATUS PR_ID PR_CATEGORY PR_AREA PR_PRIORITY PR_ASSIGNMENT_GROUP PR_PRIMARY_CI PR_PHASE PR_STATUS PR_LAST_UPDATE PR_UPDATE_TIME PR_ASSIGNED_TO PR_TITLE PR_DESCRIPTION PR_ROOT_CAUSE PR_CREATED_DATE PR_CLOSED_DATE PR_REOPENED_DATE PR_WORKAROUND PR_EXPECTED_RESOLUTION_DATE PR_CLOSE_CODE PR_ROOT_CAUSE_DATE PR_SOLUTION_DATE PR_SERVICE PR_VENDOR_CASE_REF PR_TRIGGER_INCIDENT
| table KE_ID KE_CATEGORY KE_AREA KE_ASSIGNMENT_GROUP KE_LAST_UPDATE KE_UPDATE_TIMEKE_PRIMARY_CI KE_TITLE KE_DESCRIPTION KE_ROOT_CAUSE KE_CREATED_DATE KE_CLOSED_DATE KE_CLOSED_BY KE_REOPENED_DATE KE_PRIORITY KE_ASSIGNED_TO KE_RESOLUTION KE_WORKAROUND KE_PHASE KE_EXPECTED_RESOLUTION_DATE KE_PROPOSED_SOLUTION KE_TRIGGER_PROBLEM KE_SERVICE KE_SOLUTION_DATE KE_CLOSURE_CODE KE_STATUS PR_ID PR_CATEGORY PR_AREA PR_PRIORITY PR_ASSIGNMENT_GROUP PR_PRIMARY_CI PR_PHASE PR_STATUS PR_LAST_UPDATE PR_UPDATE_TIME PR_ASSIGNED_TO PR_TITLE PR_DESCRIPTION PR_ROOT_CAUSE PR_CREATED_DATE PR_CLOSED_DATE PR_REOPENED_DATE PR_WORKAROUND PR_EXPECTED_RESOLUTION_DATE PR_CLOSE_CODE PR_ROOT_CAUSE_DATE PR_SOLUTION_DATE PR_SERVICE PR_VENDOR_CASE_REF PR_TRIGGER_INCIDENT
Thanks,
David
... View more