Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Returning different Stats for same time range.

djreschke
Communicator
‎09-08-2020 08:53 AM

I have a scheduled report that runs monthly for the previous month. It runs a cron job 00 08 1 * *. 

I need to go back an validate the report but when i run the raw search i get different results:

Search: index=x sourcetype="xxx" source="*xxx*" group=*-xxx* msg="*assigned to session"
| stats max(_time) as last_login by user, group
| table user group last_login
| convert ctime(last_login)
| rename user as User group as Group last_login as "Last Login"

Results count from the scheduled report Tuesday, September 1, 2020 8:01 AM:  15754 results

results from the ad-hoc search ran this morning 9/8/2020: 15748

I understand this is a small difference but it doesn't make sense why i would have less results now, verses 7 days ago.

Thanks everyone in advance for the help.

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 12:41 PM

Getting more results makes sense because there could be delay in indexing of events or timestamp issues. For example if you are taking report for july month on 1st of August there could be 31st of july events indexed late. But getting less number of events is strange. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 12:35 PM

Can you verify info_max_time and info_min_time for both the searches using _audit logs. May be you can find some clue there?

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 11:59 AM

What are your earliest and latest parameters? And also retention time for that index?
r. Ismo

0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:15 PM

-1mon@mon - earliest and latest is @mon. and rentention time is 1 year. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 12:19 PM
When you are running that ad-hoc several times (with some time between queries) are you getting all times the same result? Is there any errors/warnings on job inspector? How about if you change max to latest or latest_time?
0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:26 PM

I am getting the same results every time for the ad-hoc searches, no errors, but i am not getting the results from the scheduled search that ran last week. I have not changed the search, to use latest yet. I am trying to understand why the difference. the only change that was done after the schedule search ran was updating the following on the Cluster master. 

[httpServer]
maxThreads=100000
maxSockets=50000

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 12:32 PM
So was the scheduled search without latest=@mon? If it is without that probably explain the difference. You could test it with putting latest=“09/01/2020:08:01:00”
0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:38 PM

The scheduled search uses the same time inputs for earliest and latest. I ran a different search for the month of july and I am getting more results now verses the scheduled report that ran for that month. 

July Secheduled report results: 14177 

Ad-Hoc search running from 7/01/2020 00:00:00 to 8/01/2020 00:00:00 results: 14187

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 10:14 PM

to check when events are indexed 

index=yourindex | eval _time=_indextime | stats count

 _indextime will give you time when events are indexed to indexer.

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 01:41 PM

You probably have some events which have come later on to indexers, which explain this.

A good way to check this:

...
| eval iTime = _indextime, dTime = iTime - _time 
| eval dTimeHuman = tostring(dTime, "duration")

r. Ismo 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...