Why am I getting inconsistent results when using a...

ronyabar · ‎08-31-2014

Hi
While running a search for a specific record in a specific date (tagged as WT_vt_sid) i get one result with value for field WT_mc_id , but when i search for a date range where this record exists i get that record but without the value even though it exists on the raw data and tagged properly.
for example:
2014-06-18 23:32:07 10.222.64.1 - www.test.co.il GET /Internet/Pages/Upgrade/net.aspx utm_source=reshet&utm_medium=video&utm_campaign=upgrade&WT.mc_id=reshet-video-upgrade&WT.vt_sid=10.236.64.1-2228845616.30378829.1403134327WT.co_f=10.222.64.1-2228456616.3037429

I expect to get the value "reshet-video-upgrade" for field WT_mc_id but i get it only when i search the specific visitor(vt_sid). or sometimes when record amount is smaller (e.g.: when i narrow the search for only records with mc_id like "video" )
Splunk version is 4.3.2

yannK · ‎09-03-2014

First option : if this is a timestamp issue
Your data seems to be in GMT
1403134327 epoch matches the date in the first line : 2014-06-18 23:32:07

to verify that the event is in the time range you expect, please run a search like

"*10.236.64.1-2228845616.30378829.1403134327*" | table _time date_zone _raw

Second option : if this is a field extraction issue
by example there is not & separator between WT.vt_sid, oabd WT.co_f
and you have a mix of separators : , & _ -

Remember that fields names can only contain letters, numbers and underscore.
if you want to verify what is extracted check the fields available.

<mysearch> | table "WT*" "*_*" _raw

Finally do a manual field extraction.

<my search> | rex "WT.mc_id=(?<WT_mc_id>[^&]*)" | rex "WT.vt_sid=(?<WT_vt_sid>[\d\.-]*)" | table WT_mc_id WT_vt_sid

Why am I getting inconsistent results when using a different search date range for the same record in Splunk 4.3.2?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!