Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Running the same search, why are different results showing up?

szymonledzinski
New Member
‎03-13-2019 07:07 AM

If I run the same search using the same time window I get sometimes different results.
I have added 

| eval bkt=_bkt | stats count by splunk_server index bkt

At the end of the search to check which buckets are being read.
For some reason splunk skips 1 or 2 buckets sometimes.
We are using indexer cluster (10 nodes, 2 search factor, 3 replication factor).
All Data is Searchable, Search Factor is Met and Replication Factor is Met.
I don't see any errors in search logs. Any ideas what could be a problem?

0 Karma
Reply

nickhills
Ultra Champion
‎03-13-2019 07:52 AM

Because buckets are uniquely named per indexer, it will depend which indexer in your cluster provides the results to your search.

Since you have a Search factor > 1, there are two or more copies of each bucket (which will have different names on each indexer since each indexer applies its GUID to the end)

Its not an exact science, but (if your data is well distributed) a search over a small time window should return ~10 buckets (ideally one from each indexer)
If you run that search later, it's conceivable that you could get 10 entirely different buckets returned (from different servers), whilst representing the exact same results. This is by design.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...