Splunk Search

Why when I refresh splunk I loss data ?

New Member


I filll a table which has more than 60 columns and 1000 lines.
But at 10am for example, all the columns except one is fullfill.
Then I refresh the page (F5) and all the columns except 5 are fullfill.

I don't understand this behaviour. Have you any ideas ?

Splunk install on signle machine.
Splunk version: 6.5.4



0 Karma


Okay, something about your question doesn't make sense.

Splunk doesn't really deal with "tables", it deals with queries against underlying data that is stored in indexes, lookup files or a KV store. F5 executes the query again. If the data has not changed, then the results will not change. If the data HAS changed, then the results WILL change.

Splunk is not a database or a spreadsheet program. Typing things into a table on the screen does not generally lead to any change in the underlying data. If that is the behavior that you need or want, then you need to program that screen such that it will write the input data out to an index in the way you want, and then your search needs to bring that changed data back into the screen.

If you are attempting to edit a lookup table, there is a lookup file editor app on Splunkbase that will help with that task. https://splunkbase.splunk.com/app/1724/

0 Karma

New Member

Thanks for tour answer.
Sorry, I was not crystal clear.

When i say table, I mean my in my queries i show my data in form of table : end of my queries : | table tpto tata etc

I confim that the data NOT changed, AND the results CHANGE ( all values in 3 columns disapear). I know it's strange.
I use splunk since more than 3 years i never such thing like that.

I have scrrenshot to prove it but our data is confidential...

Any ideas ?

0 Karma

New Member

We find the issue.

To see all the data , we add this parameters in limits.conf

limits = 2000

0 Karma