<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why Splunk showing event count mismatch? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156230#M31697</link>
    <description>&lt;P&gt;Some events may have expired and been removed but more likely you are &lt;CODE&gt;not&lt;/CODE&gt; running your search for &lt;CODE&gt;All Time&lt;/CODE&gt; and some events are mis-timestamped so that they are &lt;CODE&gt;in the future&lt;/CODE&gt; (which most versions of Splunk include inside &lt;CODE&gt;All Time&lt;/CODE&gt; but I have heard that some versions of &lt;CODE&gt;All Time&lt;/CODE&gt; use &lt;CODE&gt;latest=now&lt;/CODE&gt;).  These &lt;CODE&gt;future&lt;/CODE&gt; events should never happen (but trust me: they do) and will only show up if you do a search for &lt;CODE&gt;All Time&lt;/CODE&gt; (or use &lt;CODE&gt;latest=999999999&lt;/CODE&gt;).  If this is the problem, you most likely have a TIMEZONE issue.&lt;/P&gt;</description>
    <pubDate>Tue, 19 May 2015 16:38:38 GMT</pubDate>
    <dc:creator>woodcock</dc:creator>
    <dc:date>2015-05-19T16:38:38Z</dc:date>
    <item>
      <title>Why Splunk showing event count mismatch?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156229#M31696</link>
      <description>&lt;P&gt;When I see number of events in Forwarder server it shows me total line count 24130&lt;BR /&gt;
cat /opt/xxt/xx/*gz | zgrep ST-xxxx | grep identity | wc -l&lt;BR /&gt;
24130&lt;/P&gt;

&lt;P&gt;When I do the same search from Splunk , it shows the event count 24018&lt;BR /&gt;
Index= main sourcetype=xx ST-xxxx identity&lt;BR /&gt;
I got following result:&lt;BR /&gt;
24018 events(15/02/2015 00:00:00:000 to 16/02/2015 00:00:00:000)&lt;/P&gt;

&lt;P&gt;Why Splunk showing less evets?&lt;/P&gt;</description>
      <pubDate>Fri, 20 Feb 2015 12:03:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156229#M31696</guid>
      <dc:creator>rajuljain1990</dc:creator>
      <dc:date>2015-02-20T12:03:19Z</dc:date>
    </item>
    <item>
      <title>Re: Why Splunk showing event count mismatch?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156230#M31697</link>
      <description>&lt;P&gt;Some events may have expired and been removed but more likely you are &lt;CODE&gt;not&lt;/CODE&gt; running your search for &lt;CODE&gt;All Time&lt;/CODE&gt; and some events are mis-timestamped so that they are &lt;CODE&gt;in the future&lt;/CODE&gt; (which most versions of Splunk include inside &lt;CODE&gt;All Time&lt;/CODE&gt; but I have heard that some versions of &lt;CODE&gt;All Time&lt;/CODE&gt; use &lt;CODE&gt;latest=now&lt;/CODE&gt;).  These &lt;CODE&gt;future&lt;/CODE&gt; events should never happen (but trust me: they do) and will only show up if you do a search for &lt;CODE&gt;All Time&lt;/CODE&gt; (or use &lt;CODE&gt;latest=999999999&lt;/CODE&gt;).  If this is the problem, you most likely have a TIMEZONE issue.&lt;/P&gt;</description>
      <pubDate>Tue, 19 May 2015 16:38:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156230#M31697</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2015-05-19T16:38:38Z</dc:date>
    </item>
    <item>
      <title>Re: Why Splunk showing event count mismatch?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156231#M31698</link>
      <description>&lt;P&gt;Hey rajuljain1990, have you find any solution for this , i am having similar problem here , please post here , if your issue has been resolved!&lt;/P&gt;</description>
      <pubDate>Sat, 22 Jun 2019 22:30:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156231#M31698</guid>
      <dc:creator>splunker545</dc:creator>
      <dc:date>2019-06-22T22:30:50Z</dc:date>
    </item>
    <item>
      <title>Re: Why Splunk showing event count mismatch?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156232#M31699</link>
      <description>&lt;P&gt;Check @woodcock's answer first, if everything is okay there then we need to see your source of input props.conf and transforms.conf related to that. As with props.conf and transforms.conf events can be ignored conditionally.&lt;/P&gt;</description>
      <pubDate>Sun, 23 Jun 2019 10:02:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-showing-event-count-mismatch/m-p/156232#M31699</guid>
      <dc:creator>VatsalJagani</dc:creator>
      <dc:date>2019-06-23T10:02:02Z</dc:date>
    </item>
  </channel>
</rss>

