Splunk Search

Why does the same search produce different results?

amitmenon123
New Member

I am automating a report.
So for that i use 4 dump CSV files whose names i don't change. When i used to change the dump i used to 'delete' the earlier source and upload the new one with the same name in the search app. I had another app installed which uses this search and the process worked fine until recently when i uploaded new data.

To elaborate.

for the below query

source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 2 Tickets By RunFactory" |append [search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv"  Internal_Team = "*" |  eval / = "Tier 2 Tickets"]  | append [ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" |eval / = "Tier 1.5 Tickets by RunFactory" ] | append [ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" | eval / = "Tier 1.5 Tickets" ] | chart count by /, Internal_Team | addtotals

i get count of tier 2 as 3800 odd events

and when i do

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv"  Internal_Team = "*" 

it gives me count as 3335 which is the correct one

this happens within my installed app and in the searching app too.

whats wrong?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.

This should give 3335

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count

This should give 3800

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count by Internal_Team | stats sum(count) as count

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

In your combined query, you're doing aggregation based on field Internal_Team which I'm guess is multivalued fields for some events. I would check the count of following queries to confirm the same.

This should give 3335

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count

This should give 3800

source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*"  | stats count by Internal_Team | stats sum(count) as count

amitmenon123
New Member

this was indeed the case. The field internal tea was extracted from a lookup file and that file had duplicate values reesulting in multivalued fields for some events. Hope this helps someone else. 🙂

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

When you post code, be sure to mark it as code (the button with 101 010 on it). That way, the web interface won't cause stuff in angle brackets < > to disappear, and wont use asterisks for an instruction to make the words bold or italic.


I suspect that the answer is something having to do with propagation of the file, so I'd be looking for a way for you to test with local=true. Meanwhile, here's an experiment you can try -


Try this and see if you get any Tier 2 -- you should get zero -

source="Dump Tier 2 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
|eval / = "Tier 2 Tickets By RunFactory" 
|append 
    [search source="Dump Tier 2.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    | eval / = "Tier 2 Tickets" | where 1!=1] 
| append 
    [ search source="Dump Tier 1.5 Runfactory.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    |eval / = "Tier 1.5 Tickets by RunFactory" ] 
| append 
    [ search source="Dump Tier 1.5.csv" host="M2B-D-80NCVQ1" sourcetype="csv" Internal_Team = "*" 
    | eval / = "Tier 1.5 Tickets" ] 
| chart count by /, Internal_Team 
| addtotals

If you got any tier two results, they have to be coming from one of the other files, which shouldn't be possible, but it's interesting...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...