Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Different search results in Different systems

patilsh
Explorer
‎06-23-2017 10:29 AM

Hello All,

I have a search query which gives the below results:

alt text

Now the same query when my friend runs in his system, the number of events is same, but the events are not in same order:

Like in my system the first entry is as shown above : eventData.txLevelIn =-52
But in my friends system the first entry is eventData.txLevelIn =-56

Can someone tell me what is the issue.

We have not changed any setting, we both are on same Server.

Regards
Shailendra Patil

Tags (1)
Preview file
30 KB
0 Karma
Reply

DalJeanis
Legend
‎06-23-2017 04:51 PM

Other than latest event first, based on _time, order is not guaranteed in splunk unless you use commands that set it. Sort, or any of the various "by" options, will establish a required order. Two records that have identical keys as per the sort order, are not guaranteed to be in any particular order.

This is because the search is distributed out to the indexes, which each return the data to the search head whenever they are finished collecting the data they own. The search head then processes what it gets, when it gets it.

The same search, run later on the same search head, is not even guaranteed the same order, as I understand it, because some indexers may be faster or slower one time than they were on a prior time, and when collating the data back together, splunk has no reason to re-sort the data unless you told it to.

0 Karma
Reply

niketn
Legend
‎06-23-2017 11:25 AM

There is no issue. All events seem to be having the same time, and unless you sort based on both _time and eventData.txLevelIn, it might come out of sync.

Can you please provide more details of your search query? Have you create bin on _time field or modified _time in your query? What is the time range for which the query runs? Are you using any transforming command or just using table to print the data? Finally what is your use case? What does eventData.txLevelIn represent?
Although this might be irrelevant but are you and your colleague have different ids setup with different time zones?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patilsh
Explorer
‎06-23-2017 11:28 AM

index="*******" userId="****" callId="****"|table _time eventData.txLevelIn
This is my query and have not modified anything separately

0 Karma
Reply

niketn
Legend
‎06-23-2017 11:58 AM

While your intent is still not clear. You can try something like following:

<YourBaseSearch>
| table _time eventData.txLevelIn
| head 1000
| sort - _time eventData.txLevelIn
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...