Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do I have a different result in a saved search from CSV files and a different saved search history?

ifbeli
New Member
‎02-09-2018 04:50 AM

Hi guys,

We have a saved search that takes its sources from 5 csv files. On a run, it returns back 10k of events.

However, when I have a look at the saved search history, the number of events is not 10k and the source csv file for the current day is not there, meaning that we have 4 csv files as sources.

May be I am missing something, but is that a default behavior or something that we could change here ?

Let me know if you need more information.

Regards,

Iliya

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 09:14 AM

How is your search taking data from the CSV files? Are they indexed files, or are you using | inputlookup or something else?

0 Karma
Reply

ifbeli
New Member
‎02-11-2018 10:49 PM

They are indexed files.

0 Karma
Reply

valiquet
Contributor
‎03-09-2018 03:24 AM

Maybe you reached numb. of results in limits.conf
Maybe check if it's shared globally

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...