Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Different search results in Different systems

patilsh
Explorer
‎06-23-2017 10:29 AM

Hello All,

I have a search query which gives the below results:

alt text

Now the same query when my friend runs in his system, the number of events is same, but the events are not in same order:

Like in my system the first entry is as shown above : eventData.txLevelIn =-52
But in my friends system the first entry is eventData.txLevelIn =-56

Can someone tell me what is the issue.

We have not changed any setting, we both are on same Server.

Regards
Shailendra Patil

Tags (1)
Preview file
1 KB
0 Karma
Reply

DalJeanis
Legend
‎06-23-2017 04:51 PM

Other than latest event first, based on _time, order is not guaranteed in splunk unless you use commands that set it. Sort, or any of the various "by" options, will establish a required order. Two records that have identical keys as per the sort order, are not guaranteed to be in any particular order.

This is because the search is distributed out to the indexes, which each return the data to the search head whenever they are finished collecting the data they own. The search head then processes what it gets, when it gets it.

The same search, run later on the same search head, is not even guaranteed the same order, as I understand it, because some indexers may be faster or slower one time than they were on a prior time, and when collating the data back together, splunk has no reason to re-sort the data unless you told it to.

0 Karma
Reply

niketn
Legend
‎06-23-2017 11:25 AM

There is no issue. All events seem to be having the same time, and unless you sort based on both _time and eventData.txLevelIn, it might come out of sync.

Can you please provide more details of your search query? Have you create bin on _time field or modified _time in your query? What is the time range for which the query runs? Are you using any transforming command or just using table to print the data? Finally what is your use case? What does eventData.txLevelIn represent?
Although this might be irrelevant but are you and your colleague have different ids setup with different time zones?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patilsh
Explorer
‎06-23-2017 11:28 AM

index="*******" userId="****" callId="****"|table _time eventData.txLevelIn
This is my query and have not modified anything separately

0 Karma
Reply

niketn
Legend
‎06-23-2017 11:58 AM

While your intent is still not clear. You can try something like following:

<YourBaseSearch>
| table _time eventData.txLevelIn
| head 1000
| sort - _time eventData.txLevelIn
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...