Solved: Why same search query shows two different results ...

iparitosh · ‎06-27-2019

Exact same query when run via search app returns 0 Statistics but shows correct stats when run via cloud monitoring app.
I am not using any macros here.

What could be the issue here?

Query [Time range: Yesterday]:

(search_id!="rsa_" action=search host= host=sh*.splunkcloud.com index=audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin)
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector"),"summarization",match(savedsearch_name,"^ACCELERATE"),"acceleration",match(search_id,"^((rt_)?scheduler_|alertsmanager_)"),"scheduled",match(search_id,"\d{10}\.\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name)
| stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host
| search (host=* search="" user="")
| where ((search_type = "scheduled") AND isnotnull(search))
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z")
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id
| where (total_run_time >= 0)
| sort - total_run_time
| fields search, total_run_time, _time, earliest, latest, search_type, user
| eventstats count max(total_run_time) as max_run_time sum(total_run_time) as total_run_time_2 by search user
| sort 0 - total_run_time
| dedup search user
| fields search, max_run_time, _time, , earliest, latest, search_type, user, total_run_time_2 count
| rename _time as "Search Start", earliest as "Earliest Time", host as Host, latest as "Latest Time", search as "Report/Alert Name", search_id as SID, search_type as Type, max_run_time as "Max Runtime (seconds)", total_run_time_2 as "Total Runtime (seconds)", user as User, count as "Execution Count" | head

Screenshots:

broberg · ‎06-27-2019

You may look on field extractions and lookups that excists only in one app and most likely not in the Search and report app, thats why you don't get any statistics.
For example: splunk do not know what "user" is if that field is field extracted in the other app but not in Search and reporting.

View solution in original post

broberg · ‎06-27-2019

You may look on field extractions and lookups that excists only in one app and most likely not in the Search and report app, thats why you don't get any statistics.
For example: splunk do not know what "user" is if that field is field extracted in the other app but not in Search and reporting.

iparitosh · ‎07-01-2019

Thank you. Field extraction was not shared across all apps.

Why same search query shows two different results when executed via different apps? (No Macros used.)

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...