Splunk Search

Understanding collect and savedsearch

zacksoft_wf
Communicator

There is a SPL search, ending with stats that generates 300 events.
Now that Search, lets call it "SEARCH-1" is saved as a 'saved search', and in the 'saved-search' one extra line is added, i.e.
| collect index=sec_apps_summary source="savedSearch_1d"
And earliest , latest setting as -1@d and @d  .
There is another SEARCH-2, that invokes the 'saved search' and the SPL starts like,
| index=sec_apps_summary source="savedSearch_1d" ....

What confuses me is, SEARCH-1 and SEARCH-2 should show same count of result, but I see 300 events for SEARCH-1 and very less 16 events for SEARCH-2.
I suspect something about the way the 'saved search' is utilized , I quite don't understand the difference in result.  Any idea , why ?


Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

SEARCH-2 does NOT invoke SEARCH-1.

SEARCH-1 performs a search, produces some results, and then writes those results to the sec_app_summary index.

SEARCH-2 reads the sec_app_summary index for all events written by SEARCH-1.

I hope that clears up some of the confusion.  I can't explain why SEARCH-1 writes 300 results, but SEARCH-2 only finds 16.  Perhaps that's related to time window or some aspects of the searches that weren't shared.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

SEARCH-2 does NOT invoke SEARCH-1.

SEARCH-1 performs a search, produces some results, and then writes those results to the sec_app_summary index.

SEARCH-2 reads the sec_app_summary index for all events written by SEARCH-1.

I hope that clears up some of the confusion.  I can't explain why SEARCH-1 writes 300 results, but SEARCH-2 only finds 16.  Perhaps that's related to time window or some aspects of the searches that weren't shared.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>