Why is loadjob not getting all results?

michaelnorup · ‎03-23-2023

Hi everyone.

I am trying to create historical capacity data over some servers. I have 1 search that will return all the data i need.
This search runs with a timepicker of 14 months(unlike the picture here for speed) and the last part ( | search Customer="*****") is not part of the scheduled report

As you can see this returns 46 servers as expected.
Then, when i try to load the search later on to create dashboards it now only returns 23 servers...

The fact that it returns SOME of the servers but not all is confusing me. I have triple checked that the Customer="***" is correct in both searches.

Does anybody have ideas? It makes no sense to me

michaelnorup · ‎03-29-2023

Anybody have ideas?

michaelnorup · ‎03-28-2023

If i remove the dedup on servername in the second search (because its already there in the main search)
It disregards my time picker, and shows my data from the last 14 months i think

Gr0und_Z3r0 · ‎03-23-2023

I can see an exclamation mark on the job for the first screenshot. You'll need to inspect the job for the scheduled search and see if there are any issues identified or indexers unable to provide results as part of the search execution.
Ensure that the scheduled searches always complete their executions and schedule them with correct priority.

michaelnorup · ‎03-28-2023

There were no issues related to this unfortunately. And if there were issues in the first search, wouldnt that one also not be able to show all the results?

Why is loadjob not getting all results?

subsearch

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor