Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are events included in one Search Head but not the other when running the same search?

whiteoakway135
Engager
‎04-04-2018 01:21 PM

alt text

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I ran the same exact search on the two Search Heads, but the non-ES Search Head seem to be missing events. Any ideas as to why?

Preview file
208 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunker12er
Motivator
‎04-04-2018 07:28 PM

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunker12er
Motivator
‎04-04-2018 07:28 PM

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

0 Karma
Reply
Solved! Jump to solution

whiteoakway135
Engager
‎04-05-2018 11:40 AM

I ran them within fixed time range and they returned the same number of events. I suppose I'll just need to account for certain real-time deviations when running searches against the different search heads. I feel like this brings up other questions, but I'll get there when I get there. Thanks!

0 Karma
Reply
Solved! Jump to solution

davpx
Communicator
‎04-04-2018 05:26 PM

Try running these again with a set time window instead of a real-time search and compare again.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...