- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ghost results - why can't I pipe my results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ghost results - why can't I pipe my results?
I have a search that yields over 6000 events. However, when I try to do anything with those events, namely use them in a pivot or pipe them to "top", suddenly the results are gone. Here is my search...
(index=pgbssi-downloads NOT extracted_EventType="DownloadOrderCompleted") OR index=pgbssi-assets30d | eventstats first(Category) as Category by Id | search index=pgbssi-downloads Category=*
And as soon as I try this, I get 0 results...
(index=pgbssi-downloads NOT extracted_EventType="DownloadOrderCompleted") OR index=pgbssi-assets30d | eventstats first(Category) as Category by Id | search index=pgbssi-downloads Category=* | top Username
I can't seem to attach an image, but I can see in the panel to the left of the results that there are 100+ results for Username, 10 different Category values, 100+ Id values, etc.
Is sleep deprivation getting the better of me? As implied by the index names, I have already written results to summary indexes in order to make this search work. Now I just can't seem to create a visualization for it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Someone must have deleted their answer and my comment disappeared with it. The following worked. I still don't understand.
(index=pgbssi-downloads NOT extracted_EventType="DownloadOrderCompleted") | join type=inner Id [search index=pgbssi-assets30d] | top Username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're issuing a "| search index=....." after your eventstats command. I believe you are wanting to do a join here, and not search your eventstats'd results here? Remember that stats commands are filtered.
Joins are extremely heavy and resource intensive, and you are absolutely correct, in Big Data, it will cause issues.
Have you considering using KVStore for those Category=* events? Summary indexing is another way you can approach this also, like you are doing currently.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I'm avoiding lookups because my reference table has 140 fields and 600K rows and growing. I did end up using a join on a smaller table that I created using a summary index but I still don't understand why the original query didn't work. If I understand correctly, eventstats appends stats information to individual events. Since I want to keep the _time info from pgbssi-downloads, I didn't want to use stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird. My last comment seems to have disappeared too. I used eventstats in an attempt to avoid join. I used it instead of stats so that I could retain _time for use in a pivot. I still don't understand why the eventstats works fine until trying to pipe the 6000K+ results to something else. Then the piped command receives 0 events. Seems like a bug of some sort to me.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
