https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35515#M6467 <P>It happens! Regarding normalization, it is really hard to guess the user's intentions, so Splunk assumes that they mean what they typed. Still, it seems like a cool research project to put on the list.</P> Tue, 01 Feb 2011 13:01:35 GMT araitz 2011-02-01T13:01:35Z https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35512#M6464 <P>I am running a simple query over a large index via the CLI. My search completes but does not give me the expected results. For example, I may know that the string "foo" occurs in 30 sources, but when I run my search it will only (but consistently) return a subset of those sources.</P> <PRE><CODE>nohup /opt/splunk/bin/splunk search 'index=my_index | search foo | stats count by source' -preview false -maxout 0 -auth username:password &gt; myresults.out 2&gt;&amp;1 &amp; </CODE></PRE> <P>I'm wondering if perhaps there is some internal timeout could be causing my search not to return the full set of results?</P> <P>And yes, a time range would help but I need to search the whole corpus, and all of the "timestamps" are within the short time period it took to index the data.</P> <P>I am also currently attempting to re-run my queries with preview set to true to see if this will force a different behavior.</P> <P>Thanks, Kevin</P> Sat, 29 Jan 2011 04:19:20 GMT https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35512#M6464 kevintelford 2011-01-29T04:19:20Z https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35513#M6465 <P>Try:</P> <PRE><CODE>index=my_index foo | stats count by source </CODE></PRE> <P>Your original search told Splunk to return all events in my_index to the search command 'search', and then for 'search' to filter out events with the term 'foo'. You can see how this is inefficient and can lead to inconsistent results if you hit a search and/or disk quota before events from all the searches are returned.</P> <P>The above search tells Splunk to return all events in my_index that contain the term 'foo', which is going to perform much better than the original search and will make it far less likely that you hit a search and/or disk quota.</P> Sat, 29 Jan 2011 05:41:40 GMT https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35513#M6465 araitz 2011-01-29T05:41:40Z https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35514#M6466 <P>I feel like such an idiot. I was always under the impression that Splunk would normalize the query for me behind the scenes. I just liked to make my query more verbose for reading purposes.</P> <P>Ah well, lesson learned. Thanks dude.</P> Tue, 01 Feb 2011 01:18:42 GMT https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35514#M6466 kevintelford 2011-02-01T01:18:42Z https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35515#M6467 <P>It happens! Regarding normalization, it is really hard to guess the user's intentions, so Splunk assumes that they mean what they typed. Still, it seems like a cool research project to put on the list.</P> Tue, 01 Feb 2011 13:01:35 GMT https://community.splunk.com/t5/Getting-Data-In/Timout-issue-with-CLI-queries/m-p/35515#M6467 araitz 2011-02-01T13:01:35Z