For some reason, after upgrading Splunk to 7.1 some searches no longer return the results for certain days; instead of returning the right day's results, it repeats old dates. If I click a date like 4/4-4/5 in search for the last 30 days, it will return results from 4/19 instead. If I add a filter to host, then everything works correctly and I can see results. I can also search the entire year and all of the results are returned as well.
There's nothing special going on aside from a few field extractions here and there. Is this a known bug? I thought at first it may have been related to cached JS files locally but I've cleared my cache and also tried a number of variations to try to fix this to no avail. The only thing that consistently works is zooming out to the year, or setting the exact host. This also affects exporting the results among other things.
This reads like SPL-154973 actually, fixed in 7.1.3+
http://docs.splunk.com/Documentation/Splunk/7.1.3/ReleaseNotes/Fixedissues
Upgrade SH and IDX to 7.1.4+ (can't recommend to upgrade to 7.1.3 for other issues).
Wanted to say that we have noticed the similar issues after upgrading from 7.0.0 to 7.1.0 - We see duplicate and/or out of order results on several types of searches with and without field based filters. It gets even worse if you use the timeline to select ranges. It seems that certain time range or other filtering modifications either make it better or worse depending on what is being searched.
We also have a support case open for this issue.
Hi @chanfoli @jmangs , Do you still see this issue? Was this ever addressed?
After some review, this may be SPL-154314.
The workaround for this is to set the following in limits.conf (on the Search Head):
[search]
phased_execution_mode = singlethreaded
If you still the issue, then try that and see if that fixes the problem and let us know. (If it doesn't fix the issue, be sure to undo the change).
I can not see the issue you are facing but when I used following run anywhere search index=_internal | reverse
I can see that there are several Timelines with events, which do not show Events in the Results on selecting. However, when I clicked Zoom to Selection
it pulled up the records. Definitely some issue with Timeline.
Screenshot for reference:
So can you just try to see what happens when you click Zoom to Selection
? Does it pick correct date?
PS: I am using Google Chrome.
Yea, Zoom to Selection (and Zoom Out) both work. Issue is that the user running this search wanted to export all the results for the last month; not selecting a specific date and using the pagination has the same bug where the results start to repeat. I'm trying to file a bug with Support but unfortunately my account isn't associated with my company's license directly so I have to go through an intermediary to get help from Splunk itself.
Well, I have a workaround at least by Zooming out to the year view.
I have opened a ticket for this. I will provide updates here as they occur.
@jmangs, if you either get your account/email associated with your company (your Account Rep can help), or file a support case via intermediary, please reference SPL-154051 in your case notes.
I cannot reproduce what you see on my local 7.1 instance (upgraded from 7.0.x), but I second @woodcock's advice.
Open a support case; it seems pretty cut-and-dried to me: bug.