https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248595#M74225 <P>+1 for the Syslog note.<BR /> Let me try the line break and see if that is the cause.</P> <P>I have created a custom source_type and set the event break regex there. I hope that's the same as BREAK_ONLY_BEFORE.</P> Tue, 29 Sep 2020 08:33:39 GMT cmisztur 2020-09-29T08:33:39Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248592#M74222 <P>I have configured Kepware IDF for Splunk and am ingesting data over TCP:51112. The source_type I have set ('opc') is arbitrary and does not exist. I have noticed when executing below search, the results are incorrect. The two records for "RunState" get omitted from the below search, and I am assuming that is because that collection of events contains an entry with Quality="bad", which does not meet my criteria.</P> <P>Am I missing something fundamental, like not creating or setting a source_type?</P> <P>WorkCenter="CNF59" | search RunState Quality="good"</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/997i4B1C196E6CC7693C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 26 Jan 2016 22:29:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248592#M74222 cmisztur 2016-01-26T22:29:20Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248593#M74223 <P>I think your line breaking isn't right. </P> <P>That whole thing looks like one event, and as one event it has both Quality="good" AND Quality="bad" in it. So, searching for Quality="good" brings up that entire event.</P> <P>There are a variety of ways to fix this, possibly easiest may be - if it works - to change your <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Propsconf">props.conf</A> for that sourcetype to </P> <PRE><CODE>[my_custom_sourcetype] BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2} </CODE></PRE> <P>There are quite a few <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Indexmulti-lineevents">other options</A>. Personally, I think this issue could be caused because you are directly ingesting events over the network, and the source it sending them oddly. I'm pertty sure all the default line-breaking and timestamping would take care of this if you were <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">ingesting them with syslog to a file</A>, then reading those files off disk and into Splunk. (This method has a LOT of other advantages, too!).</P> Wed, 27 Jan 2016 02:07:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248593#M74223 Richfez 2016-01-27T02:07:29Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248594#M74224 <P>It looks like you need to tune the line breaking of these events as in your example Splunk is merging 4 log events into a separate Splunk events (check out props.conf). Once you have line breaking setup properly your searches should work as currently Splunk is trying to extract 4 values for this event and only one of them is winning.</P> Wed, 27 Jan 2016 02:13:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248594#M74224 kbecker 2016-01-27T02:13:24Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248595#M74225 <P>+1 for the Syslog note.<BR /> Let me try the line break and see if that is the cause.</P> <P>I have created a custom source_type and set the event break regex there. I hope that's the same as BREAK_ONLY_BEFORE.</P> Tue, 29 Sep 2020 08:33:39 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-inconsistent-search-results/m-p/248595#M74225 cmisztur 2020-09-29T08:33:39Z