https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397226#M115297 <P>Adding to what Woodcock said above, I've found <CODE>transaction</CODE> can be replaced by <CODE>stats</CODE> in most situations with a little extra effort. Obviously it depends on what you're trying to report on, but something like this:</P> <PRE><CODE>index=linux sourcetype=syslog | stats last(somefield) as last_something first(somefield) as first_something range(_time) as span by queue_id </CODE></PRE> Wed, 17 Jul 2019 13:47:18 GMT twinspop 2019-07-17T13:47:18Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397222#M115293 <P>If I run the same search using two different time windows I consistently get different results.<BR /> I'm looking to count the number of email messages sent. The search query is simple:</P> <PRE><CODE>index="linux" sourcetype="syslog" | transaction queue_id </CODE></PRE> <P>When i search for a time range of 19:00:00 to 19:30:00 I get the following results (note from 19:21 on there are zero results):<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7364i1D15E5CAC67DFD02/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>If I then search for 19:21:00 to 19:22:00 I get the following results (note: now where are 245 events):<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7365i9459604DB12BD575/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 15 Jul 2019 19:32:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397222#M115293 eckdale 2019-07-15T19:32:38Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397223#M115294 <P>Because <CODE>transaction</CODE> is a command that consumes a HUGE amount of RAM and when scaled to any practical time-window will exhaust all RAM available to you and your search and WILL SILENTLY ABORT yielding partial results and NO INDICATION THAT HAPPENED (unless you <CODE>Inspect</CODE> your <CODE>job</CODE> and check the <CODE>search.log</CODE>). This is the main reason that I am constantly harping: <CODE>DO NOT USE transaction!</CODE> So don't use it.</P> Mon, 15 Jul 2019 20:06:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397223#M115294 woodcock 2019-07-15T20:06:54Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397224#M115295 <P>So that's good to know. I'll inspect the job and look into search.log for more details.</P> <P>Two questions then:<BR /> If I can't use <CODE>transaction</CODE> to group multiple events then what do I use?<BR /> My single-instance Splunk Enterprise server has 256GB of memory and appears to use <STRONG>very little</STRONG> of that memory. Am I really exhausting resources?</P> Mon, 15 Jul 2019 20:27:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397224#M115295 eckdale 2019-07-15T20:27:24Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397225#M115296 <P>Per your instruction I took a look at <CODE>Inspector</CODE> (should have done this originally) and it does indicate: "Some transactions have been discarded. To include them, add keepevicted=true.</P> <P>Adding that to the query does in fact resolve the issue.</P> Mon, 15 Jul 2019 20:33:52 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397225#M115296 eckdale 2019-07-15T20:33:52Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397226#M115297 <P>Adding to what Woodcock said above, I've found <CODE>transaction</CODE> can be replaced by <CODE>stats</CODE> in most situations with a little extra effort. Obviously it depends on what you're trying to report on, but something like this:</P> <PRE><CODE>index=linux sourcetype=syslog | stats last(somefield) as last_something first(somefield) as first_something range(_time) as span by queue_id </CODE></PRE> Wed, 17 Jul 2019 13:47:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397226#M115297 twinspop 2019-07-17T13:47:18Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397227#M115298 <P>Even so, do not use <CODE>transaction</CODE>; take the time and effort to use <CODE>*stats</CODE>.</P> Wed, 17 Jul 2019 21:20:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-different-results-for-the-same-search/m-p/397227#M115298 woodcock 2019-07-17T21:20:47Z