Splunk Enterprise

"host" every time different values total "events"

New Member

I make identical requests, I receive different answers:

  • Query 1: 327,572 events
  • Query 2: 340,072 events
  • Query 3: 302,590 events
  • Query 4: 340,072 events
  • Query 5: 327,572 events

After the last update with it a trouble. How to achieve accuracy?

Tags (3)
0 Karma

New Member

Possibly it consequences of the fact that new versions of programs were rewritten (there was no removal of the old version and establish new)...

0 Karma

New Member

Thanks. In my case in certain "host" there is an analysis of a certain file which is loaded. That is contents of the file don't change. What in this case will help me? Doesn't help to clean a cache

0 Karma

SplunkTrust
SplunkTrust

Can you show your actual query?

0 Karma

New Member

when performing query "host=02052018 OR host=28042018" (use "BY host") shows only for 02052018

screen: http://nimb.ws/uRTQmN

0 Karma

SplunkTrust
SplunkTrust

Did you try setting your search time range to "all time"?

0 Karma

New Member

Yes, it hasn't helped

0 Karma

New Member

Query: host=01042018
Shows all records of the log for April 1, 2018. For every day the separate file is loaded

0 Karma

SplunkTrust
SplunkTrust

Mh, using the host field not for the host, but for a grouping by day isn't very good practice. However, it should still work. Did you try this:
| tstats prestats=t count where host=01042018 by _time sourcetype
| timechart count by sourcetype

This should give you a timechart diagram of the data, and that shouldn't change on every query.

0 Karma

New Member

Thanks. I have remade logic of use of files, now I don't use "host". I have also passed to v.6.x, there it isn't observed.
By the way, thanks for an example.

0 Karma

Esteemed Legend

This is normal when your host is forwarding events into splunk continuously. Also, if you are searching for a time in the past (like yesterday), and it is still growing, it is possible that new events coming into splunk are either arriving very late, or the timestamp is being mis-interpreted and placed into the past.

0 Karma