Splunk Search

Search returning duplicated/wrong results after upgrading to 7.1

jmangs
Explorer

For some reason, after upgrading Splunk to 7.1 some searches no longer return the results for certain days; instead of returning the right day's results, it repeats old dates. If I click a date like 4/4-4/5 in search for the last 30 days, it will return results from 4/19 instead. If I add a filter to host, then everything works correctly and I can see results. I can also search the entire year and all of the results are returned as well.

Bug

There's nothing special going on aside from a few field extractions here and there. Is this a known bug? I thought at first it may have been related to cached JS files locally but I've cleared my cache and also tried a number of variations to try to fix this to no avail. The only thing that consistently works is zooming out to the year, or setting the exact host. This also affects exporting the results among other things.

mhoogcarspel_sp
Splunk Employee
Splunk Employee

This reads like SPL-154973 actually, fixed in 7.1.3+
http://docs.splunk.com/Documentation/Splunk/7.1.3/ReleaseNotes/Fixedissues

Upgrade SH and IDX to 7.1.4+ (can't recommend to upgrade to 7.1.3 for other issues).

0 Karma

chanfoli
Builder

Wanted to say that we have noticed the similar issues after upgrading from 7.0.0 to 7.1.0 - We see duplicate and/or out of order results on several types of searches with and without field based filters. It gets even worse if you use the timeline to select ranges. It seems that certain time range or other filtering modifications either make it better or worse depending on what is being searched.

We also have a support case open for this issue.

0 Karma

rkantamaneni_sp
Splunk Employee
Splunk Employee

Hi @chanfoli @jmangs , Do you still see this issue? Was this ever addressed?

After some review, this may be SPL-154314.

The workaround for this is to set the following in limits.conf (on the Search Head):

[search]
phased_execution_mode = singlethreaded

If you still the issue, then try that and see if that fixes the problem and let us know. (If it doesn't fix the issue, be sure to undo the change).

0 Karma

niketn
Legend

I can not see the issue you are facing but when I used following run anywhere search index=_internal | reverse I can see that there are several Timelines with events, which do not show Events in the Results on selecting. However, when I clicked Zoom to Selection it pulled up the records. Definitely some issue with Timeline.

Screenshot for reference:

https://imgur.com/a/5aO2vZo

So can you just try to see what happens when you click Zoom to Selection? Does it pick correct date?

PS: I am using Google Chrome.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jmangs
Explorer

Yea, Zoom to Selection (and Zoom Out) both work. Issue is that the user running this search wanted to export all the results for the last month; not selecting a specific date and using the pagination has the same bug where the results start to repeat. I'm trying to file a bug with Support but unfortunately my account isn't associated with my company's license directly so I have to go through an intermediary to get help from Splunk itself.

Well, I have a workaround at least by Zooming out to the year view.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I have opened a ticket for this. I will provide updates here as they occur.
@jmangs, if you either get your account/email associated with your company (your Account Rep can help), or file a support case via intermediary, please reference SPL-154051 in your case notes.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I cannot reproduce what you see on my local 7.1 instance (upgraded from 7.0.x), but I second @woodcock's advice.

0 Karma

woodcock
Esteemed Legend

Open a support case; it seems pretty cut-and-dried to me: bug.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...