Basic search doesn't return consistent data

fdederichs · ‎01-30-2019

I'm doing a simple query into splunk to retrieve some data:

index=my_index
|table source,host

I've also put a specific timestamp using the "date & time range" tab, the query return around 19K events/lines.
The issue is that the query 'miss' some data (around 300 events/lines in total), data that appears when I'm lowering the time range or when I'm being more specific in the filtering of my query as such:

index= my_index host=a_specific_host
|table source,host

Then the previously missing data are shown. One thing to notice is that the missing data aren't random, there are always the same.
Do you have any idea on what could cause the issue ?
I'm running Splunk Enterprise Version: 7.2.3

Regards

woodcock · ‎01-30-2019

Does it always work if you do not use | table source host?

woodcock · ‎01-30-2019

I would definitely open a support case.

fdederichs · ‎01-30-2019

I did that too

woodcock · ‎01-30-2019

Be sure to post back what you find.

Basic search doesn't return consistent data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Basic search doesn't return consistent data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future