Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the events dropping from the search (subsearch used)?

byu168
Path Finder
‎02-27-2018 11:50 AM

I'm using the below search to grab a list of tag_values from one index and use it as a subsearch on another index. I'm finding not all events are getting picked up though. The subsearch returns 140 results so it's not a limitation on that end. With the subsearch I don't pick up all the messages I'm looking for for each run (e.g. I get 7 results returned for "DVT ready" but there should be a message for each). Is the event dropping related to how many events are being searched in the pipeline_logs index? This is being run over the past week also

((index=pipeline_logs AND (geniaComplete.flag OR "DVT ready" OR "acap branch path setup" OR "oc-cal job" OR "downloading raw data" OR "oc-cal ACAP processing" OR "Multichunk processing complete" OR "annotations upload to GCS" OR "SGE driver started" OR "transfer complete for all banks")) [search index=cumulus1 source=mysql-runs sourcetype=run_analysis AND analysis_type=reanalysis NOT pct_cells_sampled=10.0 NOT run_group="*HTP*" | eval tag_value=mvindex(split(file_name,"."),1) | table tag_value ])
0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2018 02:46 PM

The subsearch have limitation on the execution time as well, apart from number of rows returned. (see link below). It could be possible that the subsearch is auto finalized due to longer processing time. Do you see any message in the job dropdown (below search bar) regarding your subsearch?

https://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Aboutsubsearches#Subsearch_performance_con...

0 Karma
Reply

byu168
Path Finder
‎02-27-2018 03:20 PM

It doesn't seem to be an execution time limit. Running the entire search only takes 10 seconds.

My title may have been off. Events may not be being dropped during the subsearch but on the entire search. For some tag_values I get 2/10 messages even though all messages exist

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...