Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why when I refresh splunk I loss data ?

FlorentNall
New Member
‎10-25-2018 04:23 AM

Hello,

I filll a table which has more than 60 columns and 1000 lines.
But at 10am for example, all the columns except one is fullfill.
Then I refresh the page (F5) and all the columns except 5 are fullfill.

I don't understand this behaviour. Have you any ideas ?

Splunk install on signle machine.
Splunk version: 6.5.4

Thansk,

Regards

0 Karma
Reply

DalJeanis
Legend
‎10-25-2018 12:02 PM

Okay, something about your question doesn't make sense.

Splunk doesn't really deal with "tables", it deals with queries against underlying data that is stored in indexes, lookup files or a KV store. F5 executes the query again. If the data has not changed, then the results will not change. If the data HAS changed, then the results WILL change.

Splunk is not a database or a spreadsheet program. Typing things into a table on the screen does not generally lead to any change in the underlying data. If that is the behavior that you need or want, then you need to program that screen such that it will write the input data out to an index in the way you want, and then your search needs to bring that changed data back into the screen.

If you are attempting to edit a lookup table, there is a lookup file editor app on Splunkbase that will help with that task. https://splunkbase.splunk.com/app/1724/

0 Karma
Reply

FlorentNall
New Member
‎10-26-2018 12:27 AM

Thanks for tour answer.
Sorry, I was not crystal clear.

When i say table, I mean my in my queries i show my data in form of table : end of my queries : | table tpto tata etc

I confim that the data NOT changed, AND the results CHANGE ( all values in 3 columns disapear). I know it's strange.
I use splunk since more than 3 years i never such thing like that.

I have scrrenshot to prove it but our data is confidential...

Any ideas ?

0 Karma
Reply

FlorentNall
New Member
‎10-30-2018 09:31 AM

We find the issue.

To see all the data , we add this parameters in limits.conf

[kv]
limits = 2000

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...