I make identical requests, I receive different answers:
After the last update with it a trouble. How to achieve accuracy?
Possibly it consequences of the fact that new versions of programs were rewritten (there was no removal of the old version and establish new)...
Thanks. In my case in certain "host" there is an analysis of a certain file which is loaded. That is contents of the file don't change. What in this case will help me? Doesn't help to clean a cache
Can you show your actual query?
when performing query "host=02_05_2018 OR host=28_04_2018" (use "BY host") shows only for 02_05_2018
screen: http://nimb.ws/uRTQmN
Did you try setting your search time range to "all time"?
Yes, it hasn't helped
Query: host=01_04_2018
Shows all records of the log for April 1, 2018. For every day the separate file is loaded
Mh, using the host field not for the host, but for a grouping by day isn't very good practice. However, it should still work. Did you try this:
| tstats prestats=t count where host=01_04_2018 by _time sourcetype
| timechart count by sourcetype
This should give you a timechart diagram of the data, and that shouldn't change on every query.
Thanks. I have remade logic of use of files, now I don't use "host". I have also passed to v.6.x, there it isn't observed.
By the way, thanks for an example.
This is normal when your host is forwarding events into splunk continuously. Also, if you are searching for a time in the past (like yesterday), and it is still growing, it is possible that new events coming into splunk are either arriving very late, or the timestamp is being mis-interpreted and placed into the past.