Splunk Search

Why are the same 2 searches retrieving a different amount of results?

guillecasco
Path Finder

hey i have this 2 searches:

index= foo usearch | rex field=summary "(?{.*)" | spath input=json_data | search asset{}.version = 30201184

which brings 21657 events

and this one, which is basically the same with an AND.

index= foo usearch | rex field=summary "(?{.*)" | spath input=json_data | search asset{}.version <= 30401942 AND asset{}.version = 30201184

the last value is same as in first search, but it brings 790 events

shouldn't it both bring same quantity of events?

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you have multi-value fields, the comparisons can come up with interesting results.

The test for equal will allow any event through that matches the equal. That event could have other values as well. If one of the other values was greater, then it might fail the second condition.

run this

 index= foo usearch | rex field=summary "(?{.*)" | spath input=json_data | search NOT(asset{}.version <= 30401942) AND (asset{}.version = 30201184)

and take a look at the individual events to see what their multiple version values are.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does these two queries gives you correct counts?

index= foo usearch | rex field=summary "(?<json_data>\{.*)" | spath input=json_data | where 'asset{}.version'= 30201184

index= foo usearch | rex field=summary "(?<json_data>\{.*)" | spath input=json_data | where 'asset{}.version' <= 30401942 AND 'asset{}.version'=30201184 
0 Karma

guillecasco
Path Finder

actually if i do as you said : index= foo updatesearch | rex field=summary "(?{.*)" | spath input=json_data | where 'asset{}.version'= 30201184
it brings 661 events

but
index= updtr_api updatesearch | rex field=summary "(?{.*)" | spath input=json_data | search asset{}.version = 30201184

brings 21657 events

it seem like there is a difference between | search and |were ...?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The where is treating the field as numerical data and (I think) the search is treating it as string. Which one is the correct answer?? You can check the field sidebar to see how many distinct values you get under the field asset{}.version.

0 Karma

guillecasco
Path Finder

ok i´m no getting something. I check on the left on the 2 queries and have for:
index=foo updatesearch | rex field=summary "(?{.*)" | spath input=json_data | search asset{}.version = 30201184

interesting fields. (at the left)
asset{}.version 13. And if i open that, i have
30201184 21657 --> (which is the amount of events the query brings)
60052 7456
60062 2589
....

why are other 12 versions showing up?

for the other query:
index= foo updatesearch | rex field=summary "(?{.*)" | spath input=json_data | search asset{}.version <= 30401942 AND asset{}.version = 30201184

interesting fields
asset{}.version 1
30201184 661 -> amount of events of the second query.

does this make sense? is the AND command filtering also more events? doesn´t make sense.

0 Karma

niketn
Legend

Would it be possible for you to add sample/mock of JSON data?

You should ideally be traversing through your JSON node to get to asset{}.version value and assign it to a new field using output parameter. Also when you have condition like version = 30201184 then version <= 30401942 does not make sense, so your search boundary conditions should ideally be changed if that is what you intend to do.

 <Your Base Search>
| spath input=json_data output=version path=yourrootNodehierarchy.asset{}.version | search version>=30201184 AND version<=30401942
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

guillecasco
Path Finder

i did the query that way just to try how the AND operator works. i mean, if I just want to filter by version =30201184 and i include an AND that brings data <= 30401942, they should both bring same amount of events don´t understand why they don´t. The way you said only brings logs from vales between 30201184 and 30401942

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...