https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284827#M190690 <P>Thanks for your reply. I will change the stats and give a try.</P> <P>Userid1,2,3.. is an example. it can be value of anything like "rob","john","123ad"...</P> Sat, 19 Dec 2015 16:15:33 GMT cse9423 2015-12-19T16:15:33Z https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284825#M190688 <P>Hello, </P> <P>I am getting inconsistent results from splunk for below queries.</P> <PRE><CODE>query1: search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3.... till userid=user50) | stats values(userid), values(ip) by ip query2: search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3) | stats values(userid, values(ip) by ip </CODE></PRE> <P>(basically i have less number of userid in the query2).</P> <P>The first query returns 3 records for user1 which is not correct and the second query returns 5 records for user1 which is correct.</P> <P>I am using splunk 1.3.2 jar to execute these queries. Any help greatly appreciated.</P> <P>Here is code snippet,</P> <PRE><CODE>JobArgs job = new JobArgs(); jobar.setExecutonMode(JobAgs.ExecutionMode.Blocking); jobar.setLatestTime(latesttime); //latesttime: yesterday jobar.setEarliestTime(earliesttime) //earliesttime: yesterday - 10days Service service = getSplunkServiceConnection(); Job job = service.getJobs.create(query, jobar); while (!job.isDone()){ try{ Thread.sleep(500); } catch(InterrruptedExecption e){ } } // process the result JobResultsArgs result = new JobResultsArgs(); result.setOutputMode(OutputMode.JSON); InputStream resultstream = job.getResults(result); ResultsReader resultreader = new ResultsReaderJson(resultstream); while(HashMap&lt;String,String&gt; event = resultreader.getNextEvent()) ! = null){ String ip = event.get("ip"); String id = event.get("userid"); } </CODE></PRE> Fri, 18 Dec 2015 19:54:33 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284825#M190688 cse9423 2015-12-18T19:54:33Z https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284826#M190689 <P>It sounds like you're exceeding the limits of the <CODE>stats</CODE> command (50000 events by default). I would increase the limit and use userid=* instead if you want to search for them all. You could do userid&lt;51 to get the first 50 too.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Limitsconf">http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Limitsconf</A></P> <P>Please note the following when handling limits.conf in a distributed environment:<BR /> # limits.conf settings and DISTRIBUTED SEARCH<BR /> # Unlike most settings which affect searches, limits.conf settings are not<BR /> # provided by the search head to be used by the search peers. This means<BR /> # that if you need to alter search-affecting limits in a distributed<BR /> # environment, typically you will need to modify these settings on the<BR /> # relevant peers and search head for consistent results.</P> Fri, 18 Dec 2015 22:31:59 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284826#M190689 jkat54 2015-12-18T22:31:59Z https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284827#M190690 <P>Thanks for your reply. I will change the stats and give a try.</P> <P>Userid1,2,3.. is an example. it can be value of anything like "rob","john","123ad"...</P> Sat, 19 Dec 2015 16:15:33 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Api-query-returns-inconsistent-results/m-p/284827#M190690 cse9423 2015-12-19T16:15:33Z