Splunk Search

Can someone explain why Search A has 0 results, but the refined Search B has multiple results?

kmcarrol
Path Finder

Can someone explain to me how Search A can have 0 results, but the refined Search B has multiple results? They are exactly the same except that the second theoretically has a smaller result set to process, right? Index pgbs has ~650,000 events.

Search A (0 results):

index=pgbs | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1

Search B (188 results):

index=pgbs GtinToAsset="*,*" | makemv delim="," GtinToAsset | eval GtinCount=mvcount(GtinToAsset) | where GtinCount>1
Tags (2)
0 Karma

acharlieh
Influencer

I suspect you're running with fast mode and your GtinToAsset field is auto-extracted?

In order for your indexers to satisfy the first base search index=pgbs no field extraction on events is actually needed to satisfy the search criteria, but your second search index=pgbs GtinToAsset="*,*" requires the GtinToAsset field to be extracted to satisfy the search.

While your second search command makemv delim="," GtinToAsset requires the extraction to have been performed, I've seen issues where sometimes without specifying at least GtinToAsset=* in the base search in fast mode, the extraction just won't happen, thus the further commands fail for the field simply not being present.

What happens if you run the first search in Verbose mode?

0 Karma

kmcarrol
Path Finder

I was actually running in the default Smart Mode. I also tried in Verbose Mode and got the same result. But you're right, specifying GtinToAsset=* on the front end resolves the issue just like GtinToAsset=",".

It seems to me like this is a bug.

woodcock
Esteemed Legend

Are you sure it is not the other way around? If you have mismatched them, then I have a theory but as you have specified it, I am totally befuddled!

0 Karma

kmcarrol
Path Finder

If they were mismatched, then of course it would make sense to get fewer results when you add additional criteria. That's my point. 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...