Hi,
I have Splunk Free (I am afraid this is not present in the "choose product" list, switched from "Enterprise Trial"...).
I am using the same user (there is only admin user in Splunk Free), and run a very simple query several times,
host="abc-def.csv"
with time picker = "All time". Moreover, the index records do not change during the searches (one time load csv).
Also, settings for event sampling are "No event sampling".
Now, strangely, I always get different amount of events returned (e.g. ranging from 132k to 169k events...).
Why is this so? Is there kind of timeout and how can I increase it?
There are several similar posts, but all are n.a. - e.g. I use a single user and the index does not change, ...
Thanks!
Best Regards
Florian
↧