Getting Data In

Data is missing

chandana204
Communicator

Hi,

Recently I am seeing new issues in Splunk Enterprise. When i do searches in Splunk it's not pulling all data but my colleagues can see all data in their environment. Does anyone has any idea about this? I have same permissions as them. Please tell me what would be the reason?

Thanks,
Chandana

0 Karma
1 Solution

PowerPacked
Builder

Possible Reasons
- different timezones
- Field Extractions, or some other knowledge Objects not shared with you.

View solution in original post

PowerPacked
Builder

Possible Reasons
- different timezones
- Field Extractions, or some other knowledge Objects not shared with you.

skoelpin
SplunkTrust
SplunkTrust

Are you running on a different search head than they are? If not then most likely a permissions issue

0 Karma

chandana204
Communicator

I am running same search head like them.

0 Karma

PowerPacked
Builder

Can you explain what do you mean by all data in the above question ?

0 Karma

chandana204
Communicator

My colleagues can see full data from a particular index. When it comes to me, I can see some of the data from the same index not full data. I will give you an example.
index="cursor" timestamp=11/21/2017 02:20:03 to 11/21/2017 02:20:04
From the above query, actual events count is 24. when it comes to me I can see only 2 events. The splunk is not listing all 24 events.

0 Karma

Sukisen1981
Champion

Hi,

Based on your comments it does not seem to be an issue with splunk.
If everyone had not been able to see all data, then the issue would have been with splunk, but you are stating that your colleagues are able to see all data, whereas you are not. Does this seem like an issue with splunk?
Granted that you have the same permission as your colleagues,that does not mean you have access to all data.
With the very limited information that you have given, have you checked if you have permission to see data from ALL the indexes? You might have the same permissions , but unless you have permissions for ALL the indexes you will not be able to see all data points,

0 Karma

chandana204
Communicator

I understand your point, I am running searches on particular indexes where I have proper permissions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...