Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why are users getting different data for the same ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently overheard someone asking this and I thought it was worth reposting on here for others' benefit.
Essentially, they've got some rather basic search, like index=_internal sourcetype=splunkd source=*splunk.log | stats count with the time selector set to search over the prior day (not last 24 hours). Yet different users were getting different results. This was most pronounced when users were in different offices.
I've seen two common reasons for this, which I'll answer in a moment. Feel free to add to the conversation with your own experiences and any questions for clarification!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.
This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A parallel, yet different scenario was that the users were using event sampling. The difference in symptoms was that the same user would see different raw results with each run of the same search over the same absolute time period because different events were sampled and returned. So the user thought something was broken, but in reality, just forgot they enabled sampling 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you testing questions for the new Architect exam?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ha ha. Nope, just really obsessed with Customer Success 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.
This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To quickly rule out the effective time range being applied to the search, open job inspector; look at earliestTime and latestTime fields under job properties, these fields contain timezone offset information as part of the timestamp.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
