Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are we getting different events for the same sourcetype when searching for the same time period?

abhijit_mhatre
Path Finder
‎07-20-2016 01:30 AM

There are sourcetypes which are returning different number of events for the same time period.

Example:
sourcetype="ABC" returns 90,000 events for the last 15 mins
sourcetype="ABC" returns 94,000 events for the last 15 mins

ABC is the same sourcetype used while searching events.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-20-2016 01:37 AM

Whats your full search on those? Are you including an index name, e.g.

index=indexforsourcetypeabc sourcetype=abc

VS a wildcard search..

sourcetype=abc

Depending on the user permissions, these could be returning different results from different indexes.

Also, is this in a distributed environment? Is the same search from a single user returning different results?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-20-2016 01:37 AM

Whats your full search on those? Are you including an index name, e.g.

index=indexforsourcetypeabc sourcetype=abc

VS a wildcard search..

sourcetype=abc

Depending on the user permissions, these could be returning different results from different indexes.

Also, is this in a distributed environment? Is the same search from a single user returning different results?

0 Karma
Reply
Solved! Jump to solution

abhijit_mhatre
Path Finder
‎07-20-2016 01:41 AM

It is a wildcard search in a distributed environment.
Yes, it is a same search from a single user returning different results.

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-20-2016 02:35 AM

You can should try looking at the search log between the different searches and see if you have an indexer that's not returning results or perhaps you have a underlying performance issue.

You can try running a search like

index=abcindex sourcetype="ABC" | stats count by splunk_server

Take a look at that and see what your event count is across your indexers. They should be balanced fairly evenly. Where events aren't balanced should point to either new servers or potential issues.
Without knowing more about your environment, it's hard to help.

0 Karma
Reply
Solved! Jump to solution

abhijit_mhatre
Path Finder
‎07-20-2016 05:02 AM

Thanks for your response.
I tried running the query using index & count by splunk_server, but still events are not balanced. There might be a performance issue of the sourcetypes.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...