Splunk Search

Why is my search returning less results when it should return the same?

carsonl
Explorer

Hi all,

Some background...
We have a large amount of data coming in, and the filename is used to derive some of the fields.

One of the fields is 'cclient', as we can see from the below search, it is extracting the field correctly:

index=bluecoat source=*Fox* earliest=-2w | stats count by cclient
    cclient count
    Fox_8   48412

However when searching, something strange happens... even though the data is there, it is returning substantially less than the previous query

index=bluecoat cclient=Fo* earliest=-2w | stats count by cclient
    cclient count
    Fox_8   1483

Even less when you go more specific...

index=bluecoat cclient=Fox* earliest=-2w | stats count by cclient
    cclient count
    Fox_8   1309

and even less again when you get even more specific...

index=bluecoat cclient=Fox_8 earliest=-2w | stats count by cclient
    cclient count
    Fox_8   27

Utilising quotes doesn't change anything. I have also cleared all eventdata from this index to ensure the change of data didn't do anything weird.

It is worth noting that when the string was "Fox 8", there wasn't this problem. I had to change the data to replace the space with an underscore, as tags cannot contain spaces... even when wrapped in quotes.

Has anyone seen this before? Is there a resolution/workaround?

I haven't updated to 4.3 yet...

Regards,

Carson.

Tags (2)
0 Karma
1 Solution

carsonl
Explorer

It appears that upgrading to 4.3 fixed the issue. Makes me believe this was a Splunk bug.

View solution in original post

0 Karma

carsonl
Explorer

It appears that upgrading to 4.3 fixed the issue. Makes me believe this was a Splunk bug.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...