https://community.splunk.com/t5/Splunk-Search/splunk-search-produces-different-results-when-the-same-query-is/m-p/455230#M168183 <P>Seems like the dedup is playing games. What happens if you dedup the _raw field ? do you still get different results?</P> Wed, 25 Jul 2018 12:32:06 GMT YoungDaniel 2018-07-25T12:32:06Z https://community.splunk.com/t5/Splunk-Search/splunk-search-produces-different-results-when-the-same-query-is/m-p/455229#M168182 <P>I run the query<BR /> index=* tag=xyz customertype=abc action=failure sourcetype=abc123_winlog | dedup _time, user, src, dest<BR /> in fast mode, for the last 7 days</P> <P>how can I get different results???<BR /> on day 4 for example I get 15000 events shown for one period of time (midnight to 1am), and the same time period in a second run of the query then returns 6000 events, how can this be?<BR /> splunk version 6.6.1</P> Tue, 24 Jul 2018 19:26:23 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-produces-different-results-when-the-same-query-is/m-p/455229#M168182 vincenp2 2018-07-24T19:26:23Z https://community.splunk.com/t5/Splunk-Search/splunk-search-produces-different-results-when-the-same-query-is/m-p/455230#M168183 <P>Seems like the dedup is playing games. What happens if you dedup the _raw field ? do you still get different results?</P> Wed, 25 Jul 2018 12:32:06 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-produces-different-results-when-the-same-query-is/m-p/455230#M168183 YoungDaniel 2018-07-25T12:32:06Z