Hello,
I am getting inconsistent results from splunk for below queries.
query1:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3.... till userid=user50) | stats values(userid), values(ip) by ip
query2:
search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3) | stats values(userid, values(ip) by ip
(basically i have less number of userid in the query2).
The first query returns 3 records for user1 which is not correct and the second query returns 5 records for user1 which is correct.
I am using splunk 1.3.2 jar to execute these queries. Any help greatly appreciated.
Here is code snippet,
JobArgs job = new JobArgs();
jobar.setExecutonMode(JobAgs.ExecutionMode.Blocking);
jobar.setLatestTime(latesttime); //latesttime: yesterday
jobar.setEarliestTime(earliesttime) //earliesttime: yesterday - 10days
Service service = getSplunkServiceConnection();
Job job = service.getJobs.create(query, jobar);
while (!job.isDone()){
try{
Thread.sleep(500);
} catch(InterrruptedExecption e){
}
}
// process the result
JobResultsArgs result = new JobResultsArgs();
result.setOutputMode(OutputMode.JSON);
InputStream resultstream = job.getResults(result);
ResultsReader resultreader = new ResultsReaderJson(resultstream);
while(HashMap event = resultreader.getNextEvent()) ! = null){
String ip = event.get("ip");
String id = event.get("userid");
}
↧