To clarify the issue a bit:

@nick405060 is running a distributed Splunk environment. He indexed a CSV-file with no _time field and wanted to output the first 250 rows but he always got 0 results. So his search was looking something like search index=abc source=test.csv | head 250 | table a, b, c, d

We researched the search.logs a bit and found an interesting entry like "SimpleResultsCombiner - 236 events were discarded due to a missing or invalid _time field".

However when he changed the search to "index=abc source=test.csv | table a,b,c,d | head 250" he got the results. He also got results if the first search was executed on an indexer. But if he executed it on a SearchHead, he never got results. So the issue must've originated somewhere in the distributed search mode.

So my guess is that if "head" is applied after a base search (with no reporting commands in between), the centralized streaming mode (https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Commandsbytype) first calls the SimpleResultsCombiner trying to merge/sort events by _time field. However there is no _time field in the CSV, so events are getting skipped. If we apply it on an indexer or after a reporting command, it'll use the distributed streaming mode, which does not seem to call SimpleResultsCombiner. Or maybe it does but not trying to merge/sort results as events by _time and therefore does not skip them.

Maybe there's some explanation from the Splunk devs regarding this issue and how we could avoid these in the future?

Nick 10:53 AM
its because he tabled the same value twice. but I still don't know why head would affect it if the non-head results don't)

Bojan Janisch 10:54 AM
To me it looks like a bug in SimpleResultsCombiner
Due to the fact that head is a centralized streaming command, the SimpleResultsCombiner is executed in order to merge event results... however altough you are using index=... you are not getting events, but csv or tabled results...
If you apply head on an indexer, it runs in distributed streaming mode... meaning that SimpleResultsCombiner is not executed

Nick 10:58 AM
but you should be able to run head on a search head for an indexed csv, correct? i mean you're intended to upload csvs into an index.

Bojan Janisch 11:00 AM
Yes... even though... each event in an index should always have 4 fields... _time, sourcetype, source and host...
you need to make sure that your indexed csvs rows become events
Make sure that there is a _time column in your csv

Nick 11:04 AM
i still think this is a very unexpected behavior. it's a very simple thing that I did (upload csv and search) and even as a 2yr full-time splunk developer I didn't know i had to make my csvs events in order to use head
so people e.g. my boss would never know to do this

Bojan Janisch 11:06 AM
Yes they could point to missing _time fields in your csv during index process

@bojanjanisch

Please share the working and non-working queries.