I got a different result count when I executed this query a week before, and when I executed it today. The first time, the query returned 16 records, today, it returned 21! How is this possible? I ran the search for the same absolute time period both times. If it helps, I experienced similar inconsistent results with another query on the same search head. There are no errors in the search results that could point to any suppressed events:
servername=abc* sourcetype=bq
| rex "java\.\S+\.(?P[ A-Z]+(Err))"
| rex field=_raw "(?com\.jss\S*\.\S+)\.[A-Z]\S+\((?\w+)\.java:(?\d+)\)"
| search Var1=NNN
| eval Var3=coalesce(Var3, "No Var3"), Var4=coalesce(Var4, "No Var4"), Var3=Var3. "." .Var4
| search Var3=*
| stats count by Var1, Var3, Var2
I have already spent many hours trying to troubleshoot this, so any pointers would be very helpful. Thank you!
↧