Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why scheduled search with "stats first()" returns different results from running it from the search bar and how to fix this?

anthonycopus
Path Finder
‎02-09-2015 04:40 AM

Hi,

I'm currently setting up an aggregation via a scheduled search. Running the query for this in the search bar obtains the expected results, however, some of the parameters are sometimes off when scheduled.

This is the query:

udid!="" index="index_here"  | eval search_name="search" | addinfo | eval search_day=strftime(info_max_time,"%Y/%m/%d") | stats count(eval(action=="page_view")) AS page_view_count  first(gender) AS gender first(age) AS age first(is_registered) AS is_registered by udid | stats count by is_registered

What appears to not be working is the "first(is_registered)" as well as the others of this type. However, it works perfectly in the search bar, so how can this be fixed? It's as if this command is treated differently from the saved search.

Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎02-10-2015 09:22 AM

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

View solution in original post

Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎02-10-2015 09:22 AM

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

Reply
Solved! Jump to solution

anthonycopus
Path Finder
‎02-10-2015 09:24 AM

I figured this out finally as well, as it was the issue thanks.

I am curious to know why the search process for saved searches treats this differently from a standard query in the search bar, it is searching multiple buckets at once or something along those lines to be more efficient?

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎02-10-2015 09:31 AM

Thats a good question, I don't actually know. I just tend to use earliest() and latest() because that's my intent anyway.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...