Splunk Search

what are the possibilities of getting different results for same search

raghu0463
Explorer

what are the possibilities of getting different results for same search ( there is no change in query and time) ?

Tags (1)
0 Karma

MuS
Legend

Hi raghu0463,

User permissions, app context, search modes (Fast vs Smart vs Verbose), knowledge objects permission, roles, even you mentioned it - but make really sure you are searching over the exact same time range (use a fixed range over yesterday for example), don't run real-time searches and compare results, late arriving events, time not in sync in your environment, wrong timestamp recognition ... the list is really long and did I mention time zones?

Hope this helps in some way ...

cheers, MuS

somesoni2
Revered Legend

There may be different count if new data is coming in with timestamp within the time range you selected. If you're using relative time (like last 1 hour or last 24 hours), the time range is actually changing (see the timestamp in result summary just below the search bar on left) so you may get different count. Also, if there are some indexing delay involved you may be getting few events become searchable when you run the search next time.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...