Splunk Search

Why scheduled search with "stats first()" returns different results from running it from the search bar and how to fix this?

anthonycopus
Path Finder

Hi,

I'm currently setting up an aggregation via a scheduled search. Running the query for this in the search bar obtains the expected results, however, some of the parameters are sometimes off when scheduled.

This is the query:

udid!="" index="index_here"  | eval search_name="search" | addinfo | eval search_day=strftime(info_max_time,"%Y/%m/%d") | stats count(eval(action=="page_view")) AS page_view_count  first(gender) AS gender first(age) AS age first(is_registered) AS is_registered by udid | stats count by is_registered

What appears to not be working is the "first(is_registered)" as well as the others of this type. However, it works perfectly in the search bar, so how can this be fixed? It's as if this command is treated differently from the saved search.

1 Solution

emiller42
Motivator

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

View solution in original post

emiller42
Motivator

first() refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first() for latest() which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest() for the inverse)

If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?

anthonycopus
Path Finder

I figured this out finally as well, as it was the issue thanks.

I am curious to know why the search process for saved searches treats this differently from a standard query in the search bar, it is searching multiple buckets at once or something along those lines to be more efficient?

0 Karma

emiller42
Motivator

Thats a good question, I don't actually know. I just tend to use earliest() and latest() because that's my intent anyway.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...