https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456311#M129000 <P>Hi,</P> <P>I think I found why: afterrunning the search, when I click on "job", it displays:<BR /> "Search auto-finalized after disk usage limit (0MB) reached "</P> <P>I read through documentation, and found this can be controlled with setting the value for "srchDiskQuota" in<BR /> "authentication.conf", which I did:</P> <P>[role_admin]<BR /> srchDiskQuota = 500</P> <P>Then restarting Spluk.<BR /> I am afraid: This did not help, still same behaviour.<BR /> I guess: Since there are no "real" roles in Splunk free, it is not possible to set this parameter manually by changing "authentication.conf" .</P> <P>My theory is: I guess for Splunk Free, this value is set to "0" to "encourage" people to get a real license, bc. bigger searches will have the auto-finalized status?<BR /> Can you please confirm if this is the case? If yes, I suggest to to also update "Splunk Free vs. Splunk Enterprise" documentation, so people know about this limitation.</P> <P>Thanks!</P> <P>Best Regards<BR /> Florian</P> Fri, 14 Sep 2018 08:27:58 GMT flopit 2018-09-14T08:27:58Z https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456310#M128999 <P>Hi,</P> <P>I have Splunk Free (I am afraid this is not present in the "choose product" list, switched from "Enterprise Trial"...).</P> <P>I am using the same user (there is only admin user in Splunk Free), and I have tried to run a very simple query several times,</P> <PRE><CODE>host="abc-def.csv" </CODE></PRE> <P>The time picker = "All time". </P> <P>Moreover, the index records do not change during the searches (one time load CSV). </P> <P>Also, settings for event sampling are "No event sampling".</P> <P>Now, strangely, I always get a different amount of events returned (e.g. ranging from 132k to 169k events...).</P> <P>Why is this so? Is there kind of timeout and how can I increase it?</P> <P>There are several similar posts, but all are n.a. - e.g. I use a single user and the index does not change, ...</P> <P>Thanks!</P> <P>Best Regards<BR /> Florian</P> Wed, 12 Sep 2018 08:37:46 GMT https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456310#M128999 flopit 2018-09-12T08:37:46Z https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456311#M129000 <P>Hi,</P> <P>I think I found why: afterrunning the search, when I click on "job", it displays:<BR /> "Search auto-finalized after disk usage limit (0MB) reached "</P> <P>I read through documentation, and found this can be controlled with setting the value for "srchDiskQuota" in<BR /> "authentication.conf", which I did:</P> <P>[role_admin]<BR /> srchDiskQuota = 500</P> <P>Then restarting Spluk.<BR /> I am afraid: This did not help, still same behaviour.<BR /> I guess: Since there are no "real" roles in Splunk free, it is not possible to set this parameter manually by changing "authentication.conf" .</P> <P>My theory is: I guess for Splunk Free, this value is set to "0" to "encourage" people to get a real license, bc. bigger searches will have the auto-finalized status?<BR /> Can you please confirm if this is the case? If yes, I suggest to to also update "Splunk Free vs. Splunk Enterprise" documentation, so people know about this limitation.</P> <P>Thanks!</P> <P>Best Regards<BR /> Florian</P> Fri, 14 Sep 2018 08:27:58 GMT https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456311#M129000 flopit 2018-09-14T08:27:58Z https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456312#M129001 <P>What is the release number of your Splunk installation? 7.1.1 maybe?</P> Fri, 14 Sep 2018 13:56:17 GMT https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456312#M129001 janispelss 2018-09-14T13:56:17Z https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456313#M129002 <P>I had the same idea, downloaded and upgraded to 7.1.3, now all is good again!</P> Fri, 14 Sep 2018 14:05:57 GMT https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456313#M129002 flopit 2018-09-14T14:05:57Z https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456314#M129003 <P>Upgrade to 7.1.3. helped! Now all looks good, no more "Search auto-finalized after disk usage limit (0MB) reached ".</P> Fri, 14 Sep 2018 14:06:32 GMT https://community.splunk.com/t5/Splunk-Search/In-Splunk-Free-Version-why-is-the-same-search-query-returning/m-p/456314#M129003 flopit 2018-09-14T14:06:32Z