Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the search results changing days after running the same search?

bsree
New Member
‎05-30-2019 06:24 AM

We are periodically seeing instances where data that was previously indexed shows up differently.
The results I got for a sample search changed after some days when I ran the same search again for the same time period.

Kindly help me to figure out why is this happening.
This problem is only with a particular index, all others are working fine.

0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-06-2019 03:38 PM

Hi @bsree ,

Did you have a chance to check answers yet? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

stcrispan
Communicator
‎06-03-2019 06:03 AM

martinpu - thanks for your help. We tried them out, and now there are even more questions...

Attempting these queries...the first one produced no results for a 24 hour period, but counting over 7 days, produced some numbers in the chart ranging from 1 up to 37. Are these in seconds, milliseconds, count of events which were delayed? Which ones?

The second query showed, over seven days, a minimum "rounded" of 0.0 (count 5) and maximum "rounded" of 222.0 (count 1). Again, this query reveals the "time difference delay", but in what measurement? Does this say that there were 5 events which had zero lag, and 1 which experienced 222 lag? 222 what? Seconds, milliseconds, minutes?

And, once we've got that definition, how does the indexing delay cause the charts produced for the same day to be different? I thought that the data, once recorded, was immutable. Seems like it would have to be a pretty sizable delay...

Again, appreciate the help, it's just that we've only been using it for about a year...

0 Karma
Reply

niketn
Legend
‎05-30-2019 11:04 AM

@bsree please add more details to your question. What do you mean by "shows up differently"? Does it increase? Does it decrease or is it random? What is the current query? Are you showing stats or is it raw data search? Do you have sub-searches in your query?What is the volume of data coming to index? Is it possible that the indexed data is getting purged?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

bsree
New Member
‎05-30-2019 11:13 AM

Its random, It decreases as well as increases. my query is this { index="dss_tablet" host="SLATE501*" EventCode=1991 | timechart count as Occurrences }. previously when I searched there were more than 400 events, right now if i search there are only 255 events. I don't think indexed data is getting purged.

0 Karma
Reply

martinpu
Communicator
‎05-30-2019 10:43 AM

Perhaps your events are arriving to the index with a delay?

try this an see when your events were indexed:

your query
|bucket _indextime bins=500 
|chart count by _indextime

or to figure out the timedifference(delay of event happening vs reaching the index)

your query
|eval delay=_indextime-_time
| eval rounded=round(delay,1)
|chart count by rounded

This will only work if you have access to _indextime which you might not have access to by default,

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...