Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the result number not matching?

rakeshyv0807
Explorer
‎05-09-2018 01:15 PM

Hi - I have a query where it results in total number of results of number of people logged into an application and I am displaying results for the last 24 hours. Below is the query: 

sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+

Here the "PartnerPortal" is the application name which is tied to the field "connectionid". But if I change the above query to something like following: 

sourcetype="pfad" **PartnerPortal** AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid=* | dedup subject  | stats count(subject) ------------> resulted total count of 2300+

I have tried the following query as well but resulting 2300+ results:

sourcetype="pfaduit" connectionid = PartnerPortal tid success NOT AUTHN_ATTEMPT NOT SLO NOT OIDC adapterid= * | dedup subject | stats count(subject)

Shouldn't all the above queries result the same number?

Please advice.

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 09:49 PM

This makes sense to me. Imagine that you have 2 events like this:

subject=foo connectionid=poo
subject=foo connectionid=PartnerPortal

If you do | dedup subject | search connectionid=PartnerPortal | stats count(subject) you will get 0.
If you do | search connectionid=PartnerPortal | dedup subject | stats count(subject) you will get 1.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 09:49 PM

This makes sense to me. Imagine that you have 2 events like this:

subject=foo connectionid=poo
subject=foo connectionid=PartnerPortal

If you do | dedup subject | search connectionid=PartnerPortal | stats count(subject) you will get 0.
If you do | search connectionid=PartnerPortal | dedup subject | stats count(subject) you will get 1.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎05-09-2018 01:46 PM

First thing I'll say is that running PartnerPortal is very different from running connectionid = PartnerPortal, which in turn is different from running connectionid = PartnerPortal* in your base search.

For example if you have these three events:
event 1 = time1 there was an error in PartnerPortal. adapterid=value1.a subject=value2.a
event 2 = time2 connectionid=PartnerPortal adapterid=value1.b subject=value2.b
event 3 = time3 connectionid=PartnerPortalConfig adapterid=value1.c subject=value2.c

  1. Running just a string search for "PartnerPortal" in your base search, you'll get all three events above returned.
  2. Running connectionid = PartnerPortal* in your base search will return event 2 and event 3 but not event 1, since event 1 doesn't even have the field connectionid in it
  3. Running connectionid = PartnerPortal in your base search will return only event 2, since the value of connectionid in event 3 is actually PartnerPortalConfig

Hope this helps

0 Karma
Reply
Solved! Jump to solution

rakeshyv0807
Explorer
‎05-09-2018 02:18 PM

Thanks, for the reply.

sourcetype="pfad" AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | search connectionid=PartnerPortal | stats count(subject) ------------> resulted total count of 1400+

sourcetype="pfad" connectionid = PartnerPortal AND success AND NOT AUTHN_ATTEMPT AND NOT SLO AND NOT OIDC AND adapterid= * | dedup subject | stats count(subject) -----> resulted total count of 2300+

Doesn't the above two queries return the same number of results?

Thanks.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:22 PM

Those are two different sourcetypes?

0 Karma
Reply
Solved! Jump to solution

rakeshyv0807
Explorer
‎05-09-2018 02:25 PM

Just updated my reply. Please check and let me know. Thanks.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:50 PM

If you dedup and filter on Partnerportal afterwards, you might have already thrown away events that might have fit the Partnerportal criteria. In the second search, you're doing it before dedup, therefore resulting in more events.

Reply
Solved! Jump to solution

niketn
Legend
‎05-09-2018 02:42 PM

Instead of | dedup subject | stats count(subject) can you try | stats dc(subject)?

Also you must understand that NOT is not same as !=, trying to find NOT will also return events where keywords after NOT are not present. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#6._Using_the_NOT_or_.21.3D...

Also try turning off Search Optimization to test the results of the two queries as per answer: https://answers.splunk.com/answers/589037/search-results-are-different.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 01:50 PM

Also, in the first search adapterid= is missing the *

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...