Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Derson
Derson
Explorer
Member since:
10-06-2022
02-08-2024
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 11 |
| Karma Received | 0 |
| Member Since | 10-06-2022 |
Activity Feed
- Posted Re: Eval or Lookup bug on Splunk Search. 01-23-2024 01:25 PM
- Karma Re: Eval or Lookup bug for PickleRick. 01-23-2024 12:31 PM
- Posted Re: Eval or Lookup bug on Splunk Search. 01-23-2024 11:43 AM
- Karma Re: Eval or Lookup bug for PickleRick. 01-23-2024 11:31 AM
- Karma Re: Eval or Lookup bug for scelikok. 01-23-2024 11:28 AM
- Karma Re: Eval or Lookup bug for scelikok. 01-23-2024 09:46 AM
- Posted Re: Eval or Lookup bug on Splunk Search. 01-23-2024 09:39 AM
- Posted Eval or Lookup bug on Splunk Search. 01-22-2024 04:28 PM
- Karma Re: Finding your local timezone with 'eval'? for gkanapathy. 09-25-2023 01:45 PM
- Karma Re: How can we create Tabs using Link List in Splunk with only CSS Override NO SplunkXML JS Extension? for niketn. 08-07-2023 01:29 PM
- Karma Re: Set multiple tokens using "condition match" for woodcock. 05-02-2023 07:55 AM
- Karma Re: stats vs eventstats for mayurr98. 05-02-2023 07:05 AM
- Karma Re: How do I access my local Splunk enterprise instance from another local computer on my network? for stephanefotso. 02-04-2023 10:55 PM
- Karma Re: How do I access my local Splunk enterprise instance from another local computer on my network? for Marco. 02-04-2023 10:55 PM
- Karma Re: How do I access my local Splunk enterprise instance from another local computer on my network? for richgalloway. 02-04-2023 10:54 PM
- Posted Why does Walklex return spaces before some of the field names, but fieldsummary does not? on Splunk Search. 01-29-2023 11:20 PM
- Tagged Why does Walklex return spaces before some of the field names, but fieldsummary does not? on Splunk Search. 01-29-2023 11:20 PM
- Tagged Why does Walklex return spaces before some of the field names, but fieldsummary does not? on Splunk Search. 01-29-2023 11:20 PM
- Posted Why won't Walklex timespan follow time specifications? on Splunk Search. 01-29-2023 12:06 AM
- Tagged Why won't Walklex timespan follow time specifications? on Splunk Search. 01-29-2023 12:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-23-2024
01:25 PM
MV fields being stored as strings would make sense, or an object containing strings and a hidden delim field at least. I wish one of the architects would be able to give a technical talk on how this stuff works more behind the scenes so we could help with more pointed debugging info. I considered not having strict typing on the kvstore collection as being the issue, but regardless it shouldn't be returning the wrong value instead of nulls. That would bring it back to the lookup command being the issue. I also think I have found a bug with mvmap that exhibits very similarly to this one. But since it was such an edge case I didn't even make a blog post about it. Hoping a splunk employee will see this and track down the issue behind the scenes.
... View more
01-23-2024
11:43 AM
I wouldn't expect it to be an issue in a dynamically typed language either. In my other response to scelikok, I included a search where the typeof() command either isn't showing the real type of the field, or confirming it is a memory allocation/referencing issue because I think the c++ tostring() function re-allocates the variables (its been a while so I could be wrong though). Do you know if typeof() is returning the actual type of the variable? Or is it all stored as an object behind the scenes so the best typeof() can do is guess based on the contents? Even when I am casting tostring() Splunk still calls it a number. Not calling it a float or an int makes me think it is taking a best guess based on object contents. Reposting the other response's search below: | inputlookup kvstore_560k_lines_long max=15000 | stats count by secondUID | where count=1 AND match(secondUID, "^\d+$") | head 4000 | eval initialType=typeof(secondUID) | eval secondUID=tostring(secondUID) | eval subsiquentType=typeof(secondUID) | where like(initialType, subsiquentType) ```all of the types still read as "numbers" so no events are removed``` My biggest clue that this is abnormal is the event count affecting the % of lookup error in the initial search. If I run the same events through the search that have errors initially but with a smaller search event count, they return the correct results.
... View more
01-23-2024
09:39 AM
Hey @scelikok, Thanks for jumping in to look at this. I agree that part of the problem is the typing here because it only returns the wrong lookup uID values for secondUID values that could be reasonably interpreted as numbers. And maybe this comes down to poor error handling. I wouldn't be satisfied just writing this off to a typing issue though for multiple reasons: First (opaque), this would be completely opaque to the end user. Maybe you have enough experience to tell me, but if it is a typing issue, then the typeof command does not return the actual types of the variables. I have to believe it returns what Splunk expects it would be. For instance in the search below, the last |like command does not remove any results. | inputlookup kvstore_560k_lines_long max=15000 | stats count by secondUID | where count=1 AND match(secondUID, "^\d+$") | head 4000 | eval initialType=typeof(secondUID) | eval secondUID=tostring(secondUID) ```this line causes the search to return different results``` | eval subsiquentType=typeof(secondUID) | where like(initialType, subsiquentType) Second (inconsistent), casting the secondUID with tonumber() makes more wrong results be returned. So whatever is happening is not consistently happening for secondUIDs that are integers. I initially found this by rexing a dashboard token list of secondUIDs so it isn't a matter of how the variables are being initially loaded from the lookup table. This is also shown by needing the eval command to cause the error which is distilled logic from an if statement. And as far as the inconsistency goes, there is no pattern to the numbers that are treated as numbers vs strings. Its not like all numbers starting with 0s have this happen or whitespace being around some. Third (unexpected lookup function), if you looked at any of the events they would look correct. The values for secondUID would be correct and they have results returned for uID. Unless this is just another quirk of Splunk where wrong lookups are possible without warning, I would expect the |lookup to output a null() value when it is unable to use the key it is given. Fourth (noticing the error), because Splunk doesn't give a warning and outputs a result, anybody using dedup or stats without a predetermined output expected would likely never know this exists. The only way I noticed it was because I knew there should be a 1-1 relation between my keys and values and there wasn't at the end of the search. Fifth (event count dependent), since there is a higher % of errors happening when the initial event count goes up without a pattern in the secondUID values being passed in other than being "\d+", this makes me worried there is a memory allocation/referencing bug behind the scenes. Something which would probably also be fixed by tostring if this was the case. Counterpoint being that it reliably returns the same wrong lookup values. Maybe it really is just poor error handling in |lookup combined with typeof() being a lie. But I don't know how to come to a definitive conclusion without having access to the Splunk code (c/c++?) behind the scenes, or analyzing Splunk while it is running to rule out an allocation/referencing issue in absence of the |lookup code... Maybe you would have other ideas on how to narrow it down. Or maybe I'm just crazy
... View more
01-22-2024
04:28 PM
I have a splunk search that is returning the wrong results from a kvstore if the secondUID field is set to itself before doing the lookup. This is distilled from the actual search for simply showing the bug. Both secondUID and uID should be represented as strings. Does anybody know why | eval secondUID=secondUID causes the lookup command to return the wrong results? When it is commented out the correct results are returned. The results are consistently the same wrong results when they are wrong and the errors are event count dependent. So for instance, if I switch the head command on line 4 from 4000 results up to 10000 results, the lookup wrong result rate goes from 4.3% to 11.83% given the lines I am passing in for this example. If I pass in a different set of events, the results would still be wrong and consistently the same results wrong, but not necessarily the same % of wrong results compared to the other starting events. If you either comment out that eval on line 8 or do | eval secondUID=tostring(secondUID) then the correct results are returned from the lookup command. If you switch tostring() with tonumber() the number of wrong lookups goes up. I don't think this is intended functionality because | eval secondUID=secondUID should not be changing the results IMO, and the % of errors depend on how many events are passed through the search. More events = higher % of errors. The string comparison functions in the wheres also show nothing should be changing. | inputlookup kvstore_560k_lines_long max=10000 | stats dc(uID) as uID by secondUID | where uID=1 | head 4000 ```keep 4000 results with the 1=1 uID to secondUID relationship established``` | eval secondUIDArchive=secondUID ```save the initial value ``` | where match(secondUIDArchive, secondUID) and like(secondUIDArchive, secondUID) ```initial value is unchanged``` | eval secondUID=secondUID ```this line causes the search to return different results compared to when commented out``` | where match(secondUIDArchive, secondUID) and like(secondUIDArchive, secondUID) ```string comparison methods show they are the same still``` | lookup kvstore_560k_lines_long secondUID output uID ```output the first UID again where there should be a 1=1 relationship``` | table uID secondUID secondUIDArchive | stats count by uID ```the final output counts of uID vary based on whether the eval on line 8 is commented out.```
... View more
01-29-2023
11:20 PM
Why does Walklex return spaces before some of the field names, but fieldsummary does not? When I see this without field extractions causing spaces in the field names, it usually looks like "special" fields this happens to. But these fields don't seem to exist if I try to search for or using them. Is this as simple as an output parsing bug from walklex or an indexing bug adding a space? If so, 1. Should the space be trimmed or the event be removed to get the correct results? 2. Any context on why this is happening with specific fields? fieldsummary command with no spaces in field names:
index=indexName
| fieldsummary
| stats count by field
Example results from fieldsummary:
field
host
source
sourcetype
timestamp
walklex command with spaces in field names:
| walklex index=indexName type=field
| stats count by field
Example results from walklex:
field
host
timestamp
host
timestamp
... View more
01-29-2023
12:06 AM
When I use walklex on my indexes, it doesn't appear to be following the time specifications very well. Does anybody know what is/might be happening here? Command: | walklex index=indexName type=field | stats count by field Examples for an index: Index 1: * The buckets generally take about 6 hours to roll from hot to warm. * When I select last 24 hours, I get results from above query like I would expect with a bit of overflow due to the bucket time span, but then there is a couple week gap with some events returned from several weeks prior. Index 2: * Some buckets have upwards of 2 years time span. * When I run walklex over the last 7 days, I get results all the way back to 2017. When I look for the bucket ID and guId of the bucket containing the old results using dbinspect over a 14 day time range, I do not see that local ID combined with the guId. But when I look at all time I find the guId and local ID pair. But the bucket shows as being hot and last edited in January of 2020... which all of the other weird behavior set aside, walklex shouldn't be getting data from hot buckets unless the docs are wrong?
... View more
01-28-2023
01:20 AM
I know it has been a while since you asked this @axelmunoz but this might be able to help others since I couldn't find any results either and had to make something. If I made any bad assumptions please correct me. Alternate definition for an artifact: "An artifact is a saved search job that has not reached its ttl yet per search,user,app" This returns all of the artifacts SIDs then makes an event for each and uses the map command to loop through them loading in the results. | rest /services/search/jobs | rename eai:acl.app as app | table author label app defaultTTL ttl diskUsage dispatchState isDone id isFailed isSavedSearch delegate published sid ```extra fields for human``` | where isDone=1 AND like(label,"PutSavedSearchNameHere") ```update this with the name of the search you want. probably smart to add app and user too``` | stats values(sid) as sid by label app author ```this version will be limited by values() max. Use count and mvrange instead if you need over values() max``` | mvexpand sid | map maxsearches=50000 search="| loadjob $sid$"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-08-2024
05:45 PM
|
