Splunk Search

Splunk Api query returns inconsistent results

cse9423
Explorer

Hello,

I am getting inconsistent results from splunk for below queries.

query1:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3.... till userid=user50) | stats values(userid), values(ip)  by ip

query2:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3) | stats values(userid, values(ip)  by ip

(basically i have less number of userid in the query2).

The first query returns 3 records for user1 which is not correct and the second query returns 5 records for user1 which is correct.

I am using splunk 1.3.2 jar to execute these queries. Any help greatly appreciated.

Here is code snippet,

JobArgs job = new JobArgs();
jobar.setExecutonMode(JobAgs.ExecutionMode.Blocking);
jobar.setLatestTime(latesttime); //latesttime: yesterday
jobar.setEarliestTime(earliesttime) //earliesttime: yesterday - 10days

Service service = getSplunkServiceConnection();
Job job = service.getJobs.create(query, jobar);
while (!job.isDone()){
   try{
        Thread.sleep(500);
   } catch(InterrruptedExecption e){
  }
}

// process the result
JobResultsArgs  result = new JobResultsArgs();
result.setOutputMode(OutputMode.JSON);
InputStream resultstream = job.getResults(result);
ResultsReader resultreader = new ResultsReaderJson(resultstream);
while(HashMap<String,String> event = resultreader.getNextEvent()) ! = null){
  String ip = event.get("ip");
  String id = event.get("userid");
}
0 Karma

jkat54
SplunkTrust
SplunkTrust

It sounds like you're exceeding the limits of the stats command (50000 events by default). I would increase the limit and use userid=* instead if you want to search for them all. You could do userid<51 to get the first 50 too.

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Limitsconf

Please note the following when handling limits.conf in a distributed environment:
# limits.conf settings and DISTRIBUTED SEARCH
# Unlike most settings which affect searches, limits.conf settings are not
# provided by the search head to be used by the search peers. This means
# that if you need to alter search-affecting limits in a distributed
# environment, typically you will need to modify these settings on the
# relevant peers and search head for consistent results.

cse9423
Explorer

Thanks for your reply. I will change the stats and give a try.

Userid1,2,3.. is an example. it can be value of anything like "rob","john","123ad"...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...