Splunk Search

In Splunk Free Version, why is the same search query returning different results?

flopit
Path Finder

Hi,

I have Splunk Free (I am afraid this is not present in the "choose product" list, switched from "Enterprise Trial"...).

I am using the same user (there is only admin user in Splunk Free), and I have tried to run a very simple query several times,

host="abc-def.csv"

The time picker = "All time".

Moreover, the index records do not change during the searches (one time load CSV).

Also, settings for event sampling are "No event sampling".

Now, strangely, I always get a different amount of events returned (e.g. ranging from 132k to 169k events...).

Why is this so? Is there kind of timeout and how can I increase it?

There are several similar posts, but all are n.a. - e.g. I use a single user and the index does not change, ...

Thanks!

Best Regards
Florian

0 Karma
1 Solution

flopit
Path Finder

Upgrade to 7.1.3. helped! Now all looks good, no more "Search auto-finalized after disk usage limit (0MB) reached ".

View solution in original post

0 Karma

flopit
Path Finder

Upgrade to 7.1.3. helped! Now all looks good, no more "Search auto-finalized after disk usage limit (0MB) reached ".

View solution in original post

0 Karma

flopit
Path Finder

Hi,

I think I found why: afterrunning the search, when I click on "job", it displays:
"Search auto-finalized after disk usage limit (0MB) reached "

I read through documentation, and found this can be controlled with setting the value for "srchDiskQuota" in
"authentication.conf", which I did:

[role_admin]
srchDiskQuota = 500

Then restarting Spluk.
I am afraid: This did not help, still same behaviour.
I guess: Since there are no "real" roles in Splunk free, it is not possible to set this parameter manually by changing "authentication.conf" .

My theory is: I guess for Splunk Free, this value is set to "0" to "encourage" people to get a real license, bc. bigger searches will have the auto-finalized status?
Can you please confirm if this is the case? If yes, I suggest to to also update "Splunk Free vs. Splunk Enterprise" documentation, so people know about this limitation.

Thanks!

Best Regards
Florian

0 Karma

janispelss
Path Finder

What is the release number of your Splunk installation? 7.1.1 maybe?

0 Karma

flopit
Path Finder

I had the same idea, downloaded and upgraded to 7.1.3, now all is good again!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!