Hi - I have a query where it results in total number of results of number of people logged into an application and I am displaying results for the last 24 hours. Below is the query:
sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+
Here the "PartnerPortal" is the application name which is tied to the field "connectionid". But if I change the above query to something like following:
sourcetype="pfad" **PartnerPortal** AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid=* | dedup subject | stats count(subject) ------------> resulted total count of 2300+
I have tried the following query as well but resulting 2300+ results:
sourcetype="pfaduit" connectionid = PartnerPortal tid success NOT AUTHN_ATTEMPT NOT SLO NOT OIDC adapterid= * | dedup subject | stats count(subject)
Shouldn't all the above queries result the same number?
Please advice.
Thanks.
This makes sense to me. Imagine that you have 2 events like this:
subject=foo connectionid=poo
subject=foo connectionid=PartnerPortal
If you do | dedup subject | search connectionid=PartnerPortal | stats count(subject)
you will get 0
.
If you do | search connectionid=PartnerPortal | dedup subject | stats count(subject)
you will get 1
.
This makes sense to me. Imagine that you have 2 events like this:
subject=foo connectionid=poo
subject=foo connectionid=PartnerPortal
If you do | dedup subject | search connectionid=PartnerPortal | stats count(subject)
you will get 0
.
If you do | search connectionid=PartnerPortal | dedup subject | stats count(subject)
you will get 1
.
First thing I'll say is that running PartnerPortal
is very different from running connectionid = PartnerPortal
, which in turn is different from running connectionid = PartnerPortal*
in your base search.
For example if you have these three events:
event 1 = time1 there was an error in PartnerPortal. adapterid=value1.a subject=value2.a
event 2 = time2 connectionid=PartnerPortal adapterid=value1.b subject=value2.b
event 3 = time3 connectionid=PartnerPortalConfig adapterid=value1.c subject=value2.c
connectionid = PartnerPortal*
in your base search will return event 2 and event 3 but not event 1, since event 1 doesn't even have the field connectionid in itconnectionid = PartnerPortal
in your base search will return only event 2, since the value of connectionid in event 3 is actually PartnerPortalConfigHope this helps
Thanks, for the reply.
sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+
sourcetype="pfad" connectionid = PartnerPortal AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | stats count(subject) -----> resulted total count of 2300+
Doesn't the above two queries return the same number of results?
Thanks.
Those are two different sourcetypes?
Just updated my reply. Please check and let me know. Thanks.
If you dedup and filter on Partnerportal afterwards, you might have already thrown away events that might have fit the Partnerportal criteria. In the second search, you're doing it before dedup, therefore resulting in more events.
Instead of | dedup subject | stats count(subject)
can you try | stats dc(subject)
?
Also you must understand that NOT
is not same as !=
, trying to find NOT will also return events where keywords after NOT are not present. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#6._Using_the_NOT_or_.21.3D...
Also try turning off Search Optimization to test the results of the two queries as per answer: https://answers.splunk.com/answers/589037/search-results-are-different.html
Also, in the first search adapterid= is missing the *