Deployment Architecture
Highlighted

Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

Path Finder

Hi

We have weird behavior, in the Data Summary Screen on the Search Head, we see a Host reporting events, when clic on the host searching for the details, the Search Head shows 0 results

This is happening only with 1 host, other hosts from the same index and same sourcetype didn't present the same issue.

Any Ideas?

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

SplunkTrust
SplunkTrust

Have there been calls to the delete command?

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

Path Finder

No, no one have those privileges

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

Path Finder

I am experiencing the same issue as the original post, however, I have been issuing the delete command to remove test data, etc. When I issue the delete command it confirms that the correct number of events have been deleted, yet days later the Data Summary still shows event counts for hosts which no longer have associated events indexed. Please advise.

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

SplunkTrust
SplunkTrust

The data summary is not updated by the delete command.

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

Path Finder

And so how does one update the Data Summary after using the delete command? The documentation glosses over this point.

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

SplunkTrust
SplunkTrust

You don't. It updates itself when the bucket ages out.

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

Path Finder

What's the logic behind having this discrepancy? I don't administer the application so I don't yet know what the retention period is, but, why would someone want the Data Summary to continue to show results for data which is no longer present for the next X days/weeks/months?

0 Karma
Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

SplunkTrust
SplunkTrust

The metadata command uses data that doesn't get updated when events are marked for deletion. Deleting events isn't intended to happen at all in Splunk, so it's not that big of a deal.
The metadata has many more shortcomings, for example it doesn't honour time ranges accurately but rather has an all-or-nothing-per-bucket approach giving you seriously inaccurate data even without the delete command.

If you want accurate summaries, use tstats.

Highlighted

Re: Data Summary Report Events for a Host but searching the Host in the Shearch Head Doesn't Show Events

SplunkTrust
SplunkTrust

Okay... made sure the search runs over a sufficiently large time range?

0 Karma