https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369543#M6538 <P>Usually when I have stuff that "tests OK" in an ad-hoc search but fails in a scheduled search it is due to pipeline latency. Check out the values of <CODE>_indextime - _time</CODE> for your events. These should be positive and no more than 300ish.</P> Wed, 10 May 2017 16:20:49 GMT woodcock 2017-05-10T16:20:49Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369540#M6535 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2901i102BAAF288C73915/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I have made an email alert. but when i click to view events on triggered alert i see no results. why this happens? how can i show the results?</P> Tue, 09 May 2017 11:43:59 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369540#M6535 sonila 2017-05-09T11:43:59Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369541#M6536 <P>Your trigger times in the capture show 12:27 to 12:34 but your search shows 1:11 to 1:21. Is it possible that there were no triggered events between 1:11 and 1:21? What if you change your search time frame to the 12:27-12:34?</P> Tue, 09 May 2017 13:20:13 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369541#M6536 kmaron 2017-05-09T13:20:13Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369542#M6537 <P>I tried but no result again</P> Tue, 09 May 2017 21:55:46 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369542#M6537 sonila 2017-05-09T21:55:46Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369543#M6538 <P>Usually when I have stuff that "tests OK" in an ad-hoc search but fails in a scheduled search it is due to pipeline latency. Check out the values of <CODE>_indextime - _time</CODE> for your events. These should be positive and no more than 300ish.</P> Wed, 10 May 2017 16:20:49 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369543#M6538 woodcock 2017-05-10T16:20:49Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369544#M6539 <P>And what do you recommend after checking the values of _indextime - _time<BR /> _indextime - _time is less than 0 to my indexed data. What should i do?<BR /> _indextime - _time is around -9.581</P> Wed, 10 May 2017 20:15:53 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369544#M6539 sonila 2017-05-10T20:15:53Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369545#M6540 <P>Since the magnatude is so low, the problem is surely that your forwarders and/or indexers are not using <CODE>NTP</CODE> and have drifted from true. To see if it is your indexers, try this:</P> <PRE><CODE>| rest /services/server/info | eval updated_t=round(strptime(updated, "%Y-%m-%dT%H:%M:%S%z")) | eval delta_t=now()-updated_t | eval delta=tostring(abs(delta_t), "duration") | table serverName, updated, updated_t, delta, delta_t </CODE></PRE> <P>If delta is anything other than about 00:00:01 (which is easy to account for when processing a lot of indexers), you have clock skew and are a naughty boy because you should have setup NTP on your indexers.</P> <P>NOTE: this <EM>IS</EM> a problem, but it is not the problem that you were asking about.</P> Thu, 11 May 2017 20:39:38 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369545#M6540 woodcock 2017-05-11T20:39:38Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369546#M6541 <P>delta is 00:00:00 and _indextime - _time is around 9.581 it is positive</P> Thu, 11 May 2017 21:39:24 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369546#M6541 sonila 2017-05-11T21:39:24Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369547#M6542 <P>In that case never mind this whole answer.</P> Thu, 11 May 2017 22:23:55 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369547#M6542 woodcock 2017-05-11T22:23:55Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369548#M6543 <P>can you help me about my problem why i dont see results in splunk?</P> Fri, 12 May 2017 07:27:06 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369548#M6543 sonila 2017-05-12T07:27:06Z https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369549#M6544 <P>The only thing that I can think of is that your events are expiring between when the alert hits and when you double-check. This should tell you what the oldest event still in the index is. It should be weeks, if not months old but maybe it is hours or days old.</P> <PRE><CODE>|metadata type=sourcetypes | search sourcetype=log4net </CODE></PRE> Fri, 12 May 2017 22:40:20 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-no-results/m-p/369549#M6544 woodcock 2017-05-12T22:40:20Z