https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620350#M215646 <P>In what way are they different?</P><P>Have a look at the job inspector to see how many events are processed at each stage.</P> Wed, 09 Nov 2022 22:34:19 GMT ITWhisperer 2022-11-09T22:34:19Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620346#M215643 <P>Hi,</P> <P>on our Splunk instance I have set a report using a time chart with a span of 1h and time frame of a day and the report is scheduled to run every hour however each time the report runs it shows different results. Just wondered if anyone has seen this before?</P> <P>&nbsp;</P> <P>thanks,</P> <P>&nbsp;</P> <P>joe</P> Thu, 10 Nov 2022 15:27:15 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620346#M215643 joe06031990 2022-11-10T15:27:15Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620350#M215646 <P>In what way are they different?</P><P>Have a look at the job inspector to see how many events are processed at each stage.</P> Wed, 09 Nov 2022 22:34:19 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620350#M215646 ITWhisperer 2022-11-09T22:34:19Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620351#M215647 <P>What is your time range set to, i.e. what is the exact earliest/latest in the search definition.</P><P>If you have your 'end' time as now, then it will search up to now, so naturally each hour will have different results.</P><P>When you say time frame of a day, do you mean 24h.</P><P>Can you expand on what you mean by 'different results'. In what way?</P><P>&nbsp;</P> Wed, 09 Nov 2022 22:35:03 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620351#M215647 bowesmana 2022-11-09T22:35:03Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620354#M215650 <P>Hi ,</P><P>the timeframe is set to today and the span in the time chart is 1 hour.</P><P>sometime the volume is lower or higher from the same hour.</P> Wed, 09 Nov 2022 22:45:37 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620354#M215650 joe06031990 2022-11-09T22:45:37Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620356#M215651 <P>So, at 10am it runs it gives 10 values for the first 10 hours and at 11 am you have 11 values, and are you saying that ANY of the first 10 can have different values or just the value for 10am?</P><P>What is the 'ending' time of the search in 'Today'? Is it now or&nbsp;@h&nbsp;</P><P>If it's now, it will be somewhat vague, as it may not contain events that are being indexed at that time, or events that maybe arrive one or two minutes after the search has run, but which have slightly earlier times.</P><P>One way to see if you have event 'lag' is to look at _indextime field to see how much difference there is between that and _time.&nbsp;</P><P>If _time is some time before _indextime, you have lag</P><P>&nbsp;</P> Wed, 09 Nov 2022 22:56:50 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620356#M215651 bowesmana 2022-11-09T22:56:50Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620677#M215764 <P>Looks like there was a fault with two of the search head nodes.</P> Sun, 13 Nov 2022 10:49:41 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-else-got-inconsistent-results-in-Splunk/m-p/620677#M215764 joe06031990 2022-11-13T10:49:41Z