Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are users getting different data for the same query?

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:29 AM

I recently overheard someone asking this and I thought it was worth reposting on here for others' benefit.

Essentially, they've got some rather basic search, like index=_internal sourcetype=splunkd source=*splunk.log | stats count with the time selector set to search over the prior day (not last 24 hours). Yet different users were getting different results. This was most pronounced when users were in different offices.

I've seen two common reasons for this, which I'll answer in a moment. Feel free to add to the conversation with your own experiences and any questions for clarification!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:33 AM

Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.

This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:36 AM

A parallel, yet different scenario was that the users were using event sampling. The difference in symptoms was that the same user would see different raw results with each run of the same search over the same absolute time period because different events were sampled and returned. So the user thought something was broken, but in reality, just forgot they enabled sampling 🙂

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-11-2018 06:33 AM

Are you testing questions for the new Architect exam?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 12:08 PM

Ha ha. Nope, just really obsessed with Customer Success 😉

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎07-11-2018 06:33 AM

Turns out the users had different timezones set! So even though the search was the same, the use of searching over "yesterday" was actually different and relative to their respective time zones. Conversely, if they searched over last 24 hours, this absolute would be consistent regardless of timezone.

This is a good time to direct attention back to https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb and get a good grasp on $SPLUNK_HOME/etc/users/<username>/user-prefs/local/user-prefs.conf

Reply
Solved! Jump to solution

hire_vladimir
Explorer
‎07-11-2018 06:49 AM

To quickly rule out the effective time range being applied to the search, open job inspector; look at earliestTime and latestTime fields under job properties, these fields contain timezone offset information as part of the timestamp.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...