Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Reporting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Why do I get different number of results when call...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do I get different number of results when calling a SavedSearch in Fast, Smart, and Verbose Mode?
davidts
Path Finder
03-02-2017
09:54 PM
Hi,
I have an issue whereby if I call a savedsearch from another search I get different results returned when using fast, smart and verbose mode.
If I run the savedsearch as an adhoc search then the results returned from all 3 modes are the same. However, when I call it using |savedsearch KEPM then I get the variation in results between the 3 modes.
Below is the code that is being used and the time frames are absolute.
Base search:
| savedsearch KEPM
| eval Incident=PR_TRIGGER_INCIDENT
| eval Problem=PR_ID
| eval "Problem Created"=PR_CREATED_DATE
| eval KnownError=KE_ID
| eval Priority=case(isnotnull(KE_ID),KE_PRIORITY,isnull(KE_ID),PR_PRIORITY)
| eval Status_unfilt=case(isnotnull(KE_ID),KE_STATUS,isnull(KE_ID),PR_STATUS)
| eval Status=case(like(Status_unfilt,"Deferred%"), null(), like(Status_unfilt,"Closed"), null(), 1=1,Status_unfilt)
| eval Phase=case(isnotnull(KE_ID),KE_PHASE,isnull(KE_ID),PR_PHASE)
| eval "Sub Category"=case(isnull(KE_ID),PR_CATEGORY,isnotnull(KE_ID),KE_CATEGORY)
| eval "Category Area"=case(isnotnull(KE_ID),KE_AREA,isnull(KE_ID),PR_AREA)
| eval Group_unfilt=case(isnotnull(KE_ID),KE_ASSIGNMENT_GROUP,isnull(KE_ID),PR_ASSIGNMENT_GROUP)
| eval Group=case(like(Group_unfilt,"PM - IP"), Group_unfilt, like(Group_unfilt,"PM - Corporate"), Group_unfilt, like(Group_unfilt,"PM - Corporate"), Group_unfilt, like(Group_unfilt,"PM - Security & Firewalls"), Group_unfilt, 1=1,null())
| eval Title=case(isnull(KE_ID),PR_TITLE,isnotnull(KE_ID),KE_TITLE)
| eval Description=case(isnull(KE_ID),PR_DESCRIPTION,isnotnull(KE_ID),KE_DESCRIPTION)
| eval Workaround=case(isnull(KE_ID),PR_WORKAROUND,isnotnull(KE_ID),KE_WORKAROUND)
| eval "Root Cause Else Expected Date"=case(isnotnull(KE_ROOT_CAUSE),KE_ROOT_CAUSE,isnotnull(PR_ROOT_CAUSE),PR_ROOT_CAUSE,isnotnull(PR_ROOT_CAUSE_DATE),PR_ROOT_CAUSE_DATE )
| eval "Solution Else Expected Date"=case(isnotnull(KE_RESOLUTION),KE_RESOLUTION,isnotnull(KE_SOLUTION_DATE),KE_SOLUTION_DATE,isnotnull(PR_SOLUTION_DATE),PR_SOLUTION_DATE)
| eval "Resolution Else Expected Date"=case(isnotnull(PR_CLOSE_CODE),PR_CLOSE_CODE,isnotnull(KE_ID),KE_EXPECTED_RESOLUTION_DATE,isnull(KE_ID),PR_EXPECTED_RESOLUTION_DATE)
| eval Assignee=case(isnotnull(KE_ID),KE_ASSIGNED_TO,isnull(KE_ID),PR_ASSIGNED_TO)
| eval epochevent=strptime(PR_CREATED_DATE, "%Y-%m-%d %H:%M:%S")
| eval epochstart=strptime("2015-08-01 00:00:00.0", "%Y-%m-%d %H:%M:%S")
| eval epochend=relative_time(now(),"@d")
| eval ok= case((epochstart<=epochevent) and isnotnull(Group) and isnotnull(Status), 1, 1=1, 2)
| sort Priority Phase Problem Created
| fields Incident Problem "Problem Created" KnownError Priority Status Phase "Sub Category" Group Title Description Workaround "Root Cause Else Expected Date" "Solution Else Expected Date" "Resolution Else Expected Date" Assignee ok
| where ok=1
Saved search (KEPM):
index=nwks_oss_pm_db sourcetype=dbx_smn1d_smpmadmin_rootcausem1 OR sourcetype=dbx_smn1d_smpmadmin_knownerrorm1
| eval PR_ID=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ID ,null())
| eval KE_ID=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ID ,null())
| fields - ID
| eval PR_CATEGORY=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",PRODUCT_TYPE ,null())
| eval KE_CATEGORY=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",PRODUCT_TYPE ,null())
| fields - PRODUCT_TYPE
| eval PR_AREA=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",SUBCATEGORY ,null())
| eval KE_AREA=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",SUBCATEGORY ,null())
| fields - SUBCATEGORY
| eval PR_ASSIGNMENT_GROUP=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ASSIGNMENT ,null())
| eval KE_ASSIGNMENT_GROUP=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ASSIGNMENT ,null())
| fields - ASSIGNMENT
| eval PR_PRIORITY=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",PRIORITY_CODE ,null())
| eval KE_PRIORITY=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",PRIORITY_CODE ,null())
| fields - PRIORITY_CODE
| eval PR_PRIMARY_CI=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",LOGICAL_NAME ,null())
| eval KE_PRIMARY_CI=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",LOGICAL_NAME ,null())
| fields - LOGICAL_NAME
| eval PR_PHASE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CURRENT_PHASE ,null())
| eval KE_PHASE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CURRENT_PHASE ,null())
| fields - CURRENT_PHASE
| eval PR_STATUS=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",RCSTATUS ,null())
| eval KE_STATUS=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",RCSTATUS ,null())
| fields - RCSTATUS
| eval PR_EXPECTED_RESOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",EXPECTED_RESOLUTION_TIME ,null())
| eval KE_EXPECTED_RESOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",EXPECTED_RESOLUTION_TIME ,null())
| fields - EXPECTED_RESOLUTION_TIME
| eval PR_LAST_UPDATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",UPDATE ,null())
| eval KE_LAST_UPDATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",UPDATE ,null())
| fields - UPDATE
| eval PR_UPDATE_TIME=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",UPDATE_TIME ,null())
| eval KE_UPDATE_TIME=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",UPDATE_TIME ,null())
| fields - UPDATE_TIME
| eval PR_TITLE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",BRIEF_DESCRIPTION ,null())
| eval KE_TITLE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",BRIEF_DESCRIPTION ,null())
| fields - BRIEF_DESCRIPTION
| eval PR_DESCRIPTION=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",DESCRIPTION ,null())
| eval KE_DESCRIPTION=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",DESCRIPTION ,null())
| fields - DESCRIPTION
| eval PR_ROOT_CAUSE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ROOT_CAUSE ,null())
| eval KE_ROOT_CAUSE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ROOT_CAUSE ,null())
| fields - ROOT_CAUSE
| eval PR_CREATED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",OPEN_TIME ,null())
| eval KE_CREATED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",OPEN_TIME ,null())
| fields - OPEN_TIME
| eval PR_CLOSED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CLOSE_TIME ,null())
| eval KE_CLOSED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CLOSE_TIME ,null())
| fields - CLOSE_TIME
| eval PR_REOPENED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",REOPEN_TIME ,null())
| eval KE_REOPENED_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",REOPEN_TIME ,null())
| fields - REOPEN_TIME
| eval PR_ASSIGNED_TO=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",ASSIGNEE_NAME ,null())
| eval KE_ASSIGNED_TO=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",ASSIGNEE_NAME ,null())
| fields - ASSIGNEE_NAME
| eval PR_WORKAROUND=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",WORKAROUND ,null())
| eval KE_WORKAROUND=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",WORKAROUND ,null())
| fields - WORKAROUND
| eval PR_CLOSE_CODE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",CLOSURE_CODE ,null())
| eval KE_CLOSE_CODE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",CLOSURE_CODE ,null())
| fields - CLOSURE_CODE
| eval PR_SOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",SOLUTIONDATE ,null())
| eval KE_SOLUTION_DATE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",SOLUTIONDATE ,null())
| fields - AFFECTED_ITEM
| eval PR_SERVICE=if( sourcetype="dbx_smn1d_smpmadmin_rootcausem1",AFFECTED_ITEM ,null())
| eval KE_SERVICE=if( sourcetype="dbx_smn1d_smpmadmin_knownerrorm1",AFFECTED_ITEM ,null())
| fields - AFFECTED_ITEM
| rename CLOSED_BY AS KE_CLOSED_BY, ROOTCAUSEDATE AS PR_ROOT_CAUSE_DATE, OPTUS_VENDOR_CASE_NUMBER AS PR_VENDOR_CASE_REF, OPTUS_IFMS_REFERENCE AS PR_TRIGGER_INCIDENT, PARENT_PROBLEM AS KE_TRIGGER_PROBLEM, PROPOSED_SOLUTION AS KE_PROPOSED_SOLUTION
| eval comboID=coalesce(PR_ID,KE_TRIGGER_PROBLEM)
# | stats values(*) as * by comboID
| stats first(*) as * by comboID
| fields KE_ID KE_CATEGORY KE_AREA KE_ASSIGNMENT_GROUP KE_LAST_UPDATE KE_UPDATE_TIMEKE_PRIMARY_CI KE_TITLE KE_DESCRIPTION KE_ROOT_CAUSE KE_CREATED_DATE KE_CLOSED_DATE KE_CLOSED_BY KE_REOPENED_DATE KE_PRIORITY KE_ASSIGNED_TO KE_RESOLUTION KE_WORKAROUND KE_PHASE KE_EXPECTED_RESOLUTION_DATE KE_PROPOSED_SOLUTION KE_TRIGGER_PROBLEM KE_SERVICE KE_SOLUTION_DATE KE_CLOSURE_CODE KE_STATUS PR_ID PR_CATEGORY PR_AREA PR_PRIORITY PR_ASSIGNMENT_GROUP PR_PRIMARY_CI PR_PHASE PR_STATUS PR_LAST_UPDATE PR_UPDATE_TIME PR_ASSIGNED_TO PR_TITLE PR_DESCRIPTION PR_ROOT_CAUSE PR_CREATED_DATE PR_CLOSED_DATE PR_REOPENED_DATE PR_WORKAROUND PR_EXPECTED_RESOLUTION_DATE PR_CLOSE_CODE PR_ROOT_CAUSE_DATE PR_SOLUTION_DATE PR_SERVICE PR_VENDOR_CASE_REF PR_TRIGGER_INCIDENT
| table KE_ID KE_CATEGORY KE_AREA KE_ASSIGNMENT_GROUP KE_LAST_UPDATE KE_UPDATE_TIMEKE_PRIMARY_CI KE_TITLE KE_DESCRIPTION KE_ROOT_CAUSE KE_CREATED_DATE KE_CLOSED_DATE KE_CLOSED_BY KE_REOPENED_DATE KE_PRIORITY KE_ASSIGNED_TO KE_RESOLUTION KE_WORKAROUND KE_PHASE KE_EXPECTED_RESOLUTION_DATE KE_PROPOSED_SOLUTION KE_TRIGGER_PROBLEM KE_SERVICE KE_SOLUTION_DATE KE_CLOSURE_CODE KE_STATUS PR_ID PR_CATEGORY PR_AREA PR_PRIORITY PR_ASSIGNMENT_GROUP PR_PRIMARY_CI PR_PHASE PR_STATUS PR_LAST_UPDATE PR_UPDATE_TIME PR_ASSIGNED_TO PR_TITLE PR_DESCRIPTION PR_ROOT_CAUSE PR_CREATED_DATE PR_CLOSED_DATE PR_REOPENED_DATE PR_WORKAROUND PR_EXPECTED_RESOLUTION_DATE PR_CLOSE_CODE PR_ROOT_CAUSE_DATE PR_SOLUTION_DATE PR_SERVICE PR_VENDOR_CASE_REF PR_TRIGGER_INCIDENT
Thanks,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-03-2017
11:25 AM
I reviewed your code and noted some potential improvements and potential errors. These notes are probably not the solution for the different responses, but the third one MIGHT be having some effect on whether your results are accurate.
1) The fields command is redundant with the table command that follows it. Remove the fields command.
2) This case(isnull(X),Y,isnotnull(X),Z) structure would be more efficient as an if(isnull(X),Y,Z), which would save one test. For example...
| eval "Sub Category"=case(isnull(KE_ID),PR_CATEGORY,isnotnull(KE_ID),KE_CATEGORY)
...would be better coded as...
| eval "Sub Category"=if(isnull(KE_ID),PR_CATEGORY,KE_CATEGORY)
3) Within a case or if statement, == is the operator for an equality test.
4) Slunk provides a true() function/operator, which should be used in place of 1==1, and a false() for 1==0 or 1!=1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-03-2017
08:24 AM
How many results are you getting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-03-2017
10:49 AM
Do a test with fixed earliest and latest dates in the saved search code and tell us how many results you are getting for each method (fast, smart, verbose) .
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
