Basic search doesn't return consistent data

fdederichs · ‎01-30-2019

I'm doing a simple query into splunk to retrieve some data:

index=my_index
|table source,host

I've also put a specific timestamp using the "date & time range" tab, the query return around 19K events/lines.
The issue is that the query 'miss' some data (around 300 events/lines in total), data that appears when I'm lowering the time range or when I'm being more specific in the filtering of my query as such:

index= my_index host=a_specific_host
|table source,host

Then the previously missing data are shown. One thing to notice is that the missing data aren't random, there are always the same.
Do you have any idea on what could cause the issue ?
I'm running Splunk Enterprise Version: 7.2.3

Regards

woodcock · ‎01-30-2019

Does it always work if you do not use | table source host?

woodcock · ‎01-30-2019

I would definitely open a support case.

fdederichs · ‎01-30-2019

I did that too

woodcock · ‎01-30-2019

Be sure to post back what you find.

Basic search doesn't return consistent data

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Basic search doesn't return consistent data

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2