Solved: Re: Why are events included in one Search Head but...

whiteoakway135 · ‎04-04-2018

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I ran the same exact search on the two Search Heads, but the non-ES Search Head seem to be missing events. Any ideas as to why?

splunker12er · ‎04-04-2018

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

View solution in original post

splunker12er · ‎04-04-2018

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

whiteoakway135 · ‎04-05-2018

I ran them within fixed time range and they returned the same number of events. I suppose I'll just need to account for certain real-time deviations when running searches against the different search heads. I feel like this brings up other questions, but I'll get there when I get there. Thanks!

davpx · ‎04-04-2018

Try running these again with a set time window instead of a real-time search and compare again.

Why are events included in one Search Head but not the other when running the same search?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash