Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are users getting different data for the same query?

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:29 AM

I recently overheard someone asking this and I thought it was worth reposting on here for others' benefit.

Essentially, they've got some rather basic search, like index=_internal sourcetype=splunkd source=*splunk.log | stats count with the time selector set to search over the prior day (not last 24 hours). Yet different users were getting different results. This was most pronounced when users were in different offices.

I've seen two common reasons for this, which I'll answer in a moment. Feel free to add to the conversation with your own experiences and any questions for clarification!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:33 AM

Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.

This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:36 AM

A parallel, yet different scenario was that the users were using event sampling. The difference in symptoms was that the same user would see different raw results with each run of the same search over the same absolute time period because different events were sampled and returned. So the user thought something was broken, but in reality, just forgot they enabled sampling 🙂

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-11-2018 06:33 AM

Are you testing questions for the new Architect exam?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 12:08 PM

Ha ha. Nope, just really obsessed with Customer Success 😉

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:33 AM

Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.

This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf

Reply
Solved! Jump to solution

hire_vladimir
Explorer
‎07-11-2018 06:49 AM

To quickly rule out the effective time range being applied to the search, open job inspector; look at earliestTime and latestTime fields under job properties, these fields contain timezone offset information as part of the timestamp.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
Top