Repeated searches returning different number of re...

dstaulcu · ‎11-23-2014

So the users of one of our denser source-types (XenDesktop) are complaining that they rarely get the same results for repeated searches. I have a feeling they are running up against limits. Is there any sort of logging for admins or notification to users when a search limit is enforced?

changux · ‎11-23-2014

Hi.
Do you have Splunk On Splunk (S.o.S) app? Maybe some of the debug information on it can be useful to prepare an alert.

Regards.

lguinn2 · ‎11-23-2014

I think the most detail will be found in the search log for the individual searches. The easiest way to see this is to have your users run one of the suspect searches. Immediately after it completes, you should be able to find the search in the Jobs menu (assuming you are the Splunk admin). One of the options is "Inspect Job" - this gives you an overview of what happened in the search, the number of events returned, etc. At the bottom of the Search Job Inspector window, there should be a link to the search.log for the job, which will have even more information.

Also: View search job properties with Search Job Inspector will give you some good info about what you are seeing...

dstaulcu · ‎11-25-2014

Thanks for the input. I agree that this is the best place to go for analysis of searches but I do not see anything within this source types that indicate truncation occurred as a result of enforcement of limits. Am I missing something?

Repeated searches returning different number of results. Are there any logs that show if a search limit is reached or enforced?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!