Splunk Enterprise Security

Why are events included in one Search Head but not the other when running the same search?

whiteoakway135
Engager

alt text

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I ran the same exact search on the two Search Heads, but the non-ES Search Head seem to be missing events. Any ideas as to why?

0 Karma
1 Solution

splunker12er
Motivator

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

View solution in original post

0 Karma

splunker12er
Motivator

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

0 Karma

whiteoakway135
Engager

I ran them within fixed time range and they returned the same number of events. I suppose I'll just need to account for certain real-time deviations when running searches against the different search heads. I feel like this brings up other questions, but I'll get there when I get there. Thanks!

0 Karma

davpx
Communicator

Try running these again with a set time window instead of a real-time search and compare again.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...