I have Splunk Free (I am afraid this is not present in the "choose product" list, switched from "Enterprise Trial"...).
I am using the same user (there is only admin user in Splunk Free), and I have tried to run a very simple query several times,
The time picker = "All time".
Moreover, the index records do not change during the searches (one time load CSV).
Also, settings for event sampling are "No event sampling".
Now, strangely, I always get a different amount of events returned (e.g. ranging from 132k to 169k events...).
Why is this so? Is there kind of timeout and how can I increase it?
There are several similar posts, but all are n.a. - e.g. I use a single user and the index does not change, ...
I think I found why: afterrunning the search, when I click on "job", it displays:
"Search auto-finalized after disk usage limit (0MB) reached "
I read through documentation, and found this can be controlled with setting the value for "srchDiskQuota" in
"authentication.conf", which I did:
srchDiskQuota = 500
Then restarting Spluk.
I am afraid: This did not help, still same behaviour.
I guess: Since there are no "real" roles in Splunk free, it is not possible to set this parameter manually by changing "authentication.conf" .
My theory is: I guess for Splunk Free, this value is set to "0" to "encourage" people to get a real license, bc. bigger searches will have the auto-finalized status?
Can you please confirm if this is the case? If yes, I suggest to to also update "Splunk Free vs. Splunk Enterprise" documentation, so people know about this limitation.