Solved: Why are events included in one Search Head but not...

whiteoakway135 · ‎04-04-2018

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I ran the same exact search on the two Search Heads, but the non-ES Search Head seem to be missing events. Any ideas as to why?

splunker12er · ‎04-04-2018

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

View solution in original post

splunker12er · ‎04-04-2018

You are running the same search , but it seem you are running the search with realtime moving window (10 minute window) - so the results would vary according to the incoming realtime logs.

Try execute the search for a fixed/exact time range - anytime it would produce the same no. of result.

whiteoakway135 · ‎04-05-2018

I ran them within fixed time range and they returned the same number of events. I suppose I'll just need to account for certain real-time deviations when running searches against the different search heads. I feel like this brings up other questions, but I'll get there when I get there. Thanks!

davpx · ‎04-04-2018

Try running these again with a set time window instead of a real-time search and compare again.

Why are events included in one Search Head but not the other when running the same search?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!