Splunk Enterprise

Why I get less events in verbose-Mode?

marcokrueger
Path Finder

Hello everybody,
I have a problem with incomplete searchresults.
When I use clever mode I get 1125 events but in verbose-mode I only get 969.
I wounder why this behaviour because verbose should be the exacter extraction, so I thought about memory-limits but cant find any Error in the search.log
Another indication for a memory-issue is, if I limit the fields to response to one, f.e. "...| fields + D_T2m |... I also get the 1125 Events.

How can I easy verify my results to know I can trust them? I cant find any Error in the log or at least a warning that would indicate missing values.

best regards
Grisuji

P.S. as a background-information, I also use an append in this search which append another kind of data, but the results I miss are from the main-search and the append give not very much events: ~2000 - not very much. When I skip the append, the results are also complete, which points to a memory-issue.

Tags (3)
0 Karma
1 Solution

niketn
Legend

With append it is matter of how many events subsearch has to parse rather than how many events it has to display. You ensure that you get only required events in your base search for both main and appended search. If you have to work only with one column have you tried appendcols instead of append?

Also if you run the two searches separately in verbose mode, do you still see issue with one or both of them?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

woodcock
Esteemed Legend

Do not use subsearch-based commands such as append and join.

0 Karma

marcokrueger
Path Finder

Thank you, is this a general recommendation? Is the append a reason why Splunk> can't warn for incomplete results?

0 Karma

woodcock
Esteemed Legend

Yes, it is mostly silent, unless you go digging for it after the fact.

0 Karma

niketn
Legend

With append it is matter of how many events subsearch has to parse rather than how many events it has to display. You ensure that you get only required events in your base search for both main and appended search. If you have to work only with one column have you tried appendcols instead of append?

Also if you run the two searches separately in verbose mode, do you still see issue with one or both of them?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

marcokrueger
Path Finder

Thank you, I have refactored the query so it comes without an append and it works. The only thing I miss is an message in cases of memory-issues respectivly incomplete results. It gives a very bad tast not to know all is complete.

0 Karma

niketn
Legend

In terms of documentation what I can suggest is going to the following for choosing correct method for correlation:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation

Please accept this answer if this has helped you, or else provide your own answer and accept the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...