Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I have a different result in a saved search from CSV files and a different saved search history?

ifbeli
New Member
‎02-09-2018 04:50 AM

Hi guys,

We have a saved search that takes its sources from 5 csv files. On a run, it returns back 10k of events.

However, when I have a look at the saved search history, the number of events is not 10k and the source csv file for the current day is not there, meaning that we have 4 csv files as sources.

May be I am missing something, but is that a default behavior or something that we could change here ?

Let me know if you need more information.

Regards,

Iliya

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 09:14 AM

How is your search taking data from the CSV files? Are they indexed files, or are you using | inputlookup or something else?

0 Karma
Reply

ifbeli
New Member
‎02-11-2018 10:49 PM

They are indexed files.

0 Karma
Reply

valiquet
Contributor
‎03-09-2018 03:24 AM

Maybe you reached numb. of results in limits.conf
Maybe check if it's shared globally

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...