Splunk Search

Repeated searches returning different number of results. Are there any logs that show if a search limit is reached or enforced?

dstaulcu
Builder

So the users of one of our denser source-types (XenDesktop) are complaining that they rarely get the same results for repeated searches. I have a feeling they are running up against limits. Is there any sort of logging for admins or notification to users when a search limit is enforced?

0 Karma

changux
Builder

Hi.
Do you have Splunk On Splunk (S.o.S) app? Maybe some of the debug information on it can be useful to prepare an alert.

Regards.

0 Karma

lguinn2
Legend

I think the most detail will be found in the search log for the individual searches. The easiest way to see this is to have your users run one of the suspect searches. Immediately after it completes, you should be able to find the search in the Jobs menu (assuming you are the Splunk admin). One of the options is "Inspect Job" - this gives you an overview of what happened in the search, the number of events returned, etc. At the bottom of the Search Job Inspector window, there should be a link to the search.log for the job, which will have even more information.

Also: View search job properties with Search Job Inspector will give you some good info about what you are seeing...

dstaulcu
Builder

Thanks for the input. I agree that this is the best place to go for analysis of searches but I do not see anything within this source types that indicate truncation occurred as a result of enforcement of limits. Am I missing something?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...