- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does the same search produce different results...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am automating a report.
So for that i use 4 dump CSV files whose names i don't change. When i used to change the dump i used to 'delete' the earlier source and upload the new one with the same name in the search app. I had another app installed which uses this search and the process worked fine until recently when i uploaded new data.
To elaborate.
for the below query
source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 2 Tickets By RunFactory" |append [search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | eval / = "Tier 2 Tickets"] | append [ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 1.5 Tickets by RunFactory" ] | append [ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | eval / = "Tier 1.5 Tickets" ] | chart count by /, Internal_Team | addtotals
i get count of tier 2 as 3800 odd events
and when i do
source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"
it gives me count as 3335 which is the correct one
this happens within my installed app and in the searching app too.
whats wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.
This should give 3335
source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | stats count
This should give 3800
source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | stats count by Internal_Team | stats sum(count) as count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.
This should give 3335
source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | stats count
This should give 3800
source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | stats count by Internal_Team | stats sum(count) as count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this was indeed the case. The field internal tea was extracted from a lookup file and that file had duplicate values reesulting in multivalued fields for some events. Hope this helps someone else. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you post code, be sure to mark it as code (the button with 101 010 on it). That way, the web interface won't cause stuff in angle brackets < > to disappear, and wont use asterisks for an instruction to make the words bold or italic.
I suspect that the answer is something having to do with propagation of the file, so I'd be looking for a way for you to test with local=true. Meanwhile, here's an experiment you can try -
Try this and see if you get any Tier 2 -- you should get zero -
source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"
|eval / = "Tier 2 Tickets By RunFactory"
|append
[search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"
| eval / = "Tier 2 Tickets" | where 1!=1]
| append
[ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"
|eval / = "Tier 1.5 Tickets by RunFactory" ]
| append
[ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"
| eval / = "Tier 1.5 Tickets" ]
| chart count by /, Internal_Team
| addtotals
If you got any tier two results, they have to be coming from one of the other files, which shouldn't be possible, but it's interesting...
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
