Splunk Search

Why in my current search, fewer results appear?


Hello everyone,
A query, I have the following problem where a query is made to a specific index and sourcetype at a certain time and if the next day I execute that query again, the number of events is less. It is worth mentioning that it is not possible to see any corrupted buket, or that the space of the indexers is full, which could cause a loss of information.

Excuse the translation by google

Labels (1)
Tags (1)
0 Karma

Ultra Champion

Hard to say without actually seeing your search. The most obvious possible reason that comes to mind is that you indeed have fewer and fewer events in the specified timerange. Maybe some buckets expire. Maybe the inputs stopped working...

See the report in job inspector.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...