Splunk Search

Repeated searches returning different number of results. Are there any logs that show if a search limit is reached or enforced?

dstaulcu
Builder

So the users of one of our denser source-types (XenDesktop) are complaining that they rarely get the same results for repeated searches. I have a feeling they are running up against limits. Is there any sort of logging for admins or notification to users when a search limit is enforced?

0 Karma

changux
Builder

Hi.
Do you have Splunk On Splunk (S.o.S) app? Maybe some of the debug information on it can be useful to prepare an alert.

Regards.

0 Karma

lguinn2
Legend

I think the most detail will be found in the search log for the individual searches. The easiest way to see this is to have your users run one of the suspect searches. Immediately after it completes, you should be able to find the search in the Jobs menu (assuming you are the Splunk admin). One of the options is "Inspect Job" - this gives you an overview of what happened in the search, the number of events returned, etc. At the bottom of the Search Job Inspector window, there should be a link to the search.log for the job, which will have even more information.

Also: View search job properties with Search Job Inspector will give you some good info about what you are seeing...

dstaulcu
Builder

Thanks for the input. I agree that this is the best place to go for analysis of searches but I do not see anything within this source types that indicate truncation occurred as a result of enforcement of limits. Am I missing something?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...