Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can the results of the same search vary between use in a search bar and a dashboard?

20065945
Explorer
‎10-15-2014 11:11 PM

hi,

I am writing the following search query in the dashboard panel

sourcetype=xml22 |where $field1$ = 7|search Text="*Launched application: Automatic Registration"| eval Name = "Automatic Registration launch" |stats count by Name|table Name count
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: FilmView"| eval Name = "FilmView launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Renal"| eval Name = "NM Renal launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Viewer"| eval Name = "NM Viewer launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoSPECT Pro"| eval Name = "AutoSPECT Pro launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Launched application: AVA"| eval Name = "AVA launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Bone Mineral Density"| eval Name = "Bone Mineral Density launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Brain Perfusion"| eval Name = "Brain Perfusion launch" |stats count by Name|table Name count]

| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Cardiac Viewer"| eval Name = "Cardiac Viewer launch" |stats count by Name|table Name count]*

and when i am performing single searches for the above group search like
sourcetype=xml22 |search Text="*Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count*

the results are varying.

The query says that when the text in Text="Launched application: AutoSPECT Pro" arrives then print the name as given in eval Name = "AutoSPECT Pro launch" and then give the count of its occurrence as in stats count by Name|table Name count

This count is same for a few searches but its varying for others. Kindly help:)

0 Karma
Reply

mendesjo
Path Finder
‎02-11-2016 10:09 AM

I'm seeing the same thing on one of our dashboards, i do the same exact query from the search bar, vs the dashboard and get different results.

0 Karma
Reply

stefan1988
Path Finder
‎02-22-2017 04:25 AM

Here same issue. Within the dashboard I see a partial result while my query is exactly the same.

0 Karma
Reply

musskopf
Builder
‎10-16-2014 06:32 PM

Hello,

I don't think there is a reason for the results to vary but I'm wondering if there no other way to perform your search... it seems very repetitive. What about you do something like:

sourcetype=xml22 $field1$ = 7 | stats count by Text

I know that it will return the full text and not the name you want... but after you get the stats you could use a lookup table to replace the "text" with the "name" you like or maybe | eval name=CASE(...) to change it.

It'll simplify your search command and make easier to debug...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...