Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search returning different number of results every time?

kgiri253
Explorer
‎11-02-2022 11:01 PM

kgiri253_0-1667455084968.png

 

I am trying to execute this search but 90% of the times this search does not complete and returns incomplete results. The count is different for example this search will return 4,63,000 events, 4,20,000 or 3,60,000 etc results. I believe that my search is a bit heavy. Can anyone please help me to optimize this search.

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-03-2022 12:37 AM

Hi @kgiri253,

let me understand, is the problem that you continously have different results or that the search doesn't complete its run?

For the different number of results, try to use a defined time period without latest=now, in other words, try using yesterday or a past hour (earliest=-2h@h latest=-h@h).

if the search isn't complete, check using the job inspector and the Monitoring Console if the search has problems.

A basic question: have you sufficient resources for your Splunk: 12 CPUs, 12 GB RAM, storage with at least 800 IOPS?

Ciao.

Giuseppe

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-03-2022 12:32 AM

Are you running in a clustered index environment? If so, the rirst thing to do is to replace 'table' with 'fields', otherwise the mvexpand will be running on the search head. If you use fields, it will run on the indexer.

Doing mvexpand followed by dedup and then stats is going to pump memory, first creating a load of events then removing them. 

With 'finding', what's the relationship to sid - is it 1:1? If so, you don't need dedup.

Check the job inspector to see where the time is going.

If you're getting variable result counts, but using the identical time window, then it's probably mvexpand and memory and perhaps running on the SH.

Try to minimise the data volume before you mvexpand - is there a way to do what you're trying to do with stats without expanding the data?

What is the cardinality of all the values() fields you are collecting - that will also consume a lot of memory if high.

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...