Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fewer events and results returned when using adhoc_search_level = verbose #459

Open
john-corcoran opened this issue May 30, 2022 · 2 comments
Open

Fewer events and results returned when using adhoc_search_level = verbose #459

john-corcoran opened this issue May 30, 2022 · 2 comments

Comments

@john-corcoran
Copy link

Describe the bug
Identical non-transforming searches run across fast, smart and verbose modes (modes selected using adhoc_search_level parameter) will return fewer events and results when using verbose mode. This may be expected behaviour due to additional system constraints when using verbose mode, however no warning is raised and I haven't found any documentation that indicates this is a risk (apologies if it exists and I've missed it).

To reproduce

  • Example search: "search index=indexname"
  • When performed using fast and smart modes (by changing adhoc_search_level), eventCount and resultCount for the job will be the same figure (150K for an example index I'm running it on). Pulling the events and results in separate operations (using results.JSONResultsReader(job.events) and results.JSONResultsReader(job.results)) will return equivalent datasets (for each, data is pulled in 50K paginated batches).
  • When performing the same search in verbose mode, the eventCount will be the same figure as above, however the resultCount will be a smaller figure (30K in my example). Pulling the events and results using the JSONResultsReader operations listed above will result in equivalent datasets, however they will both be for the smaller figure - i.e. the eventCount, although listed as the correct figure (150K), is inaccurate and the returned events will also be fewer than they should be (pagination is still attempted in 50K batches for the 150K size eventCount, but only 30K of events are returned in my example).

Expected behavior
That verbose non-transforming searches would have the same event and result counts returned as fast and smart searches.

Splunk:

SDK:
@tdhellmann
Copy link
Contributor

@john-corcoran can I get some additional information from you?

  • Which Splunk platform versions are you encountering this issue on?
  • Are you encountering this issue on the Splunk Cloud Platform or on Splunk Enterprise?
  • What Splunk platform deployment architecture are you using (standalone/single-instance deployment, search head clustering, etc. - I do not think this last bit matters, but I want to be able to communicate it to the Search API team)

@john-corcoran
Copy link
Author

Hi @tdhellmann - this is from the Docker version of Splunk Enterprise (v8.2.4) (https://hub.docker.com/r/splunk/splunk/), running locally on a single host (using sample data) with search head / clustering defaults (I'm not sure on the specifics for Splunk in Docker, but can find out if needed). (I've mostly copied notes from my previous message, please let me know if there's more detail you needed that I've missed.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tdhellmann @john-corcoran