Splunk Enterprise

"host" every time different values total "events"

CollaiderKV
New Member

I make identical requests, I receive different answers:

  • Query 1: 327,572 events
  • Query 2: 340,072 events
  • Query 3: 302,590 events
  • Query 4: 340,072 events
  • Query 5: 327,572 events

After the last update with it a trouble. How to achieve accuracy?

Tags (3)
0 Karma

CollaiderKV
New Member

Possibly it consequences of the fact that new versions of programs were rewritten (there was no removal of the old version and establish new)...

0 Karma

CollaiderKV
New Member

Thanks. In my case in certain "host" there is an analysis of a certain file which is loaded. That is contents of the file don't change. What in this case will help me? Doesn't help to clean a cache

0 Karma

xpac
SplunkTrust
SplunkTrust

Can you show your actual query?

0 Karma

CollaiderKV
New Member

when performing query "host=02_05_2018 OR host=28_04_2018" (use "BY host") shows only for 02_05_2018

screen: http://nimb.ws/uRTQmN

0 Karma

xpac
SplunkTrust
SplunkTrust

Did you try setting your search time range to "all time"?

0 Karma

CollaiderKV
New Member

Yes, it hasn't helped

0 Karma

CollaiderKV
New Member

Query: host=01_04_2018
Shows all records of the log for April 1, 2018. For every day the separate file is loaded

0 Karma

xpac
SplunkTrust
SplunkTrust

Mh, using the host field not for the host, but for a grouping by day isn't very good practice. However, it should still work. Did you try this:
| tstats prestats=t count where host=01_04_2018 by _time sourcetype
| timechart count by sourcetype

This should give you a timechart diagram of the data, and that shouldn't change on every query.

0 Karma

CollaiderKV
New Member

Thanks. I have remade logic of use of files, now I don't use "host". I have also passed to v.6.x, there it isn't observed.
By the way, thanks for an example.

0 Karma

woodcock
Esteemed Legend

This is normal when your host is forwarding events into splunk continuously. Also, if you are searching for a time in the past (like yesterday), and it is still growing, it is possible that new events coming into splunk are either arriving very late, or the timestamp is being mis-interpreted and placed into the past.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...