Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Returning different Stats for same time range.

djreschke
Communicator
‎09-08-2020 08:53 AM

I have a scheduled report that runs monthly for the previous month. It runs a cron job 00 08 1 * *. 

I need to go back an validate the report but when i run the raw search i get different results:

Search: index=x sourcetype="xxx" source="*xxx*" group=*-xxx* msg="*assigned to session"
| stats max(_time) as last_login by user, group
| table user group last_login
| convert ctime(last_login)
| rename user as User group as Group last_login as "Last Login"

Results count from the scheduled report Tuesday, September 1, 2020 8:01 AM:  15754 results

results from the ad-hoc search ran this morning 9/8/2020: 15748

I understand this is a small difference but it doesn't make sense why i would have less results now, verses 7 days ago.

Thanks everyone in advance for the help.

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 12:41 PM

Getting more results makes sense because there could be delay in indexing of events or timestamp issues. For example if you are taking report for july month on 1st of August there could be 31st of july events indexed late. But getting less number of events is strange. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 12:35 PM

Can you verify info_max_time and info_min_time for both the searches using _audit logs. May be you can find some clue there?

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 11:59 AM

What are your earliest and latest parameters? And also retention time for that index?
r. Ismo

0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:15 PM

-1mon@mon - earliest and latest is @mon. and rentention time is 1 year. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 12:19 PM
When you are running that ad-hoc several times (with some time between queries) are you getting all times the same result? Is there any errors/warnings on job inspector? How about if you change max to latest or latest_time?
0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:26 PM

I am getting the same results every time for the ad-hoc searches, no errors, but i am not getting the results from the scheduled search that ran last week. I have not changed the search, to use latest yet. I am trying to understand why the difference. the only change that was done after the schedule search ran was updating the following on the Cluster master. 

[httpServer]
maxThreads=100000
maxSockets=50000

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 12:32 PM
So was the scheduled search without latest=@mon? If it is without that probably explain the difference. You could test it with putting latest=“09/01/2020:08:01:00”
0 Karma
Reply

djreschke
Communicator
‎09-08-2020 12:38 PM

The scheduled search uses the same time inputs for earliest and latest. I ran a different search for the month of july and I am getting more results now verses the scheduled report that ran for that month. 

July Secheduled report results: 14177 

Ad-Hoc search running from 7/01/2020 00:00:00 to 8/01/2020 00:00:00 results: 14187

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 10:14 PM

to check when events are indexed 

index=yourindex | eval _time=_indextime | stats count

 _indextime will give you time when events are indexed to indexer.

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-08-2020 01:41 PM

You probably have some events which have come later on to indexers, which explain this.

A good way to check this:

...
| eval iTime = _indextime, dTime = iTime - _time 
| eval dTimeHuman = tostring(dTime, "duration")

r. Ismo 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...