Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How come the number of events is different between the database and the search?

dingguibin1
New Member
‎12-27-2018 07:30 PM

Hello.

Recently I met a problem. I found that a number of events are different between the database and the search.

I confirmed that the number of events was correct when I connected the database(picture1 in attachment).

However, when I found events in DB connect, the number of events was much more bigger than in the DB.

I further checked the events and found out that some events in the database were imported into Splunk more than once(some twice, some triple).

So the number of events in Splunk is bigger than in the database.

Furthermore, when Splunk first connected with the database, the number of events was correct in Splunk.

But maybe, after several days, the number became wrong. Could someone tell me what is the reason?

Thank you so much!

Tags (1)
Preview file
53 KB
Preview file
54 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-31-2018 08:24 PM

What version of DBConnect? Some versions have a hard-coded limit in db*query.py that you must comment out (yes, I am serious).
Also see here:

https://answers.splunk.com/answers/593476/splunk-db-connect-how-do-you-increase-the-maximum.html

0 Karma
Reply

DalJeanis
Legend
‎12-31-2018 10:54 AM

So, there are a number of things that are possible to be wrong here.

First, you need to check the configuration of your "rising column". You should have the connection set up to only bring in new records, based on some field that will be known to track whether records are new. "Date added" or whatever.

Second, if records in the underlying database are being updated, rather than merely newly added, there is an architectural issue on the Splunk side that an updated, changed record is a new event as far as Splunk is concerned. That means you need do develop your queries to dedup the results on the record key, whatever that might be.

Alternatively, you might decide to bring in all the records on a schedule (such as every 24 hours) and not read records in splunk older than that.

Alternatively... and this is NOT recommended, but you can potentially do it, depending on your use case... you can set up a periodic job to purge the older copy of any duplicates.

0 Karma
Reply

p_gurav
Champion
‎12-27-2018 11:31 PM

Could you please share input configurations? Is it batch input or rising input?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...