Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is tstats not displaying all expected hosts?

BLACKBEARCO
Explorer
‎06-20-2022 04:18 PM

We are about to open up a Splunk ticket for this issue, but figured we'd check with the community first.

Problem: The tstats command is not seeing all of our indexed data and queries would suggest that our Forwarders are not sending data, which isn't true. We've run multiple queries against the index confirming the expected data exists in the index and the fields are indexed. In addition, the hosts show up in the data summary for the index. We are searching within a timeline in which events do exist in the index, so it's not like we are searching for data that never existed.

We even performed a restart of the Splunk service and noted a significant number of hosts' data in the index have stopped being processed by tstats / tsidx according to the timestamp of the latest event for the hosts. It coincides with the Splunk restart but never starts processing the data again to be visible by tstats, even after several hours. Other hosts data is processed as expected, so we have some hosts with current "lastSeen" times:

 

 

| tstats count max(_time) as lastSeen where index=windows_sec earliest=-20d@d latest=@m by host
| convert ctime(lastSeen)

 

 

Command that results in missing hosts:

 

 

| tstats values(host) by index

 

 

Similar command that also results in same "missing" hosts --- Fast Mode:

 

 

index=* | stats values(host) by index

 

 

Modifying the above command from Fast to Verbose mode results in all hosts being displayed as expected.

Additional Info:

  • Splunk v8.2.6 - no correlation between different Forwarder versions either.
  • Splunkd.log has been analyzed line by line pre/post Splunk service restart. No leads there.
  • Tsidx reduction is (and always has been) disabled for all of our indexes.
  • We have seen very similar behavior for other queries where Fast Mode results in missing data but simply changing the mode to Verbose instantly populates all expected data in the results. We even have verified that all fields are identified in the initial "generating" query - no difference in Fast Mode.

This seems like a super basic issue but has completely baffled us for some time and is causing serious heartburn and lack of trust in the data being presented to users. It's almost like a caching issue of some sort but we are grasping at straws now. Any thoughts/ideas would be welcome.

Thanks.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2022 11:42 PM

Hi

in all in single node this works for me on 8.2.6.

| tstats count max(_time) as _time where index=xyz earliest=-20d@d latest=@m by host

So I propose that you will do a support case to splunk if you haven't found solution for this.

r. Ismo 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 11:07 AM

Another same kind of issue https://community.splunk.com/t5/Splunk-Enterprise/tstats-count-showing-0-on-internal-index/m-p/60269...

 

0 Karma
Reply

BLACKBEARCO
Explorer
‎06-21-2022 12:23 PM

Yes, we found a similar post related to the _internal index: https://community.splunk.com/t5/Splunk-Enterprise/what-makes-tstats-on-internal-go-wrong/m-p/572087

However, we have never had tsidx reduction enabled, which is why I mentioned that in the additional information of my original post above.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top