Splunk Search

Why am I getting different results in verbose mode versus fast mode joining two sourcetypes with one source limited to today's data?

bfernandez
Communicator

I am trying to join two sourcetypes with a common field (ID). The problem occurs when I tried to limit one source to today's indexed data. If I execute the search in “fast mode” it applies index-time filter to both sources, but if I execute it in “verbose” it applies correctly to only one source. It works in both modes without index-time filter.

Search example over the last month:

(sourcetype=source1 _index_earliest=-d@d _index_latest=now) OR (sourcetype= source2) | stats first(fieldsource1), first(field source2) by ID

Using Splunk 6.2.2 – 255606 over Centos x64

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

What index time filter are you talking about? earliest= latest=?

those usually go at the end, but I don't think that matters.

i.e. sourcetype=source1 OR sourcetype= source2 earliest--1d@d | stats first(fieldsource1), first(fieldsource2) by ID

and I am assume your problem is that you are not discovering your fields (fieldsource1,fieldsource2 or ID) ?

If that assumption is true, it could be b/c you are running a transforming search (i.e. stats) and that causes the search to run in fast mode.

from: http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/WhenSplunkEnterpriseaddsfields

Splunk Enterprise discovers fields other than default fields and fields explicitly mentioned in the search string only when you:

run a non-transforming search in the Smart search mode.
run any search in the Verbose search mode. 

transforming search: A type of search command that orders the results into a data table. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes. Searches that use transforming commands are called transforming searches.

Transforming commands include chart, timechart, stats, top, rare, contingency, and highlight.

So I'd recommend you use a rex command to extract the fields you want, and test abd see if that works. If so, you could then permanently set it via EXTRACT's in the sourcetype's transforms.conf file.

I am not sure if you set the search mode to smart in the GUI if that will work, but the way I suggest is more efficient for you long-term.

Hope that help,
Cheer,
Kyle

0 Karma

woodcock
Esteemed Legend

I would definitely open a support case on this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...