https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479638#M134426 <P>Try running this to see what indexes are being populated:</P> <PRE><CODE> |tstats count where index=* by index </CODE></PRE> <P>Use the past 24 hours in time picker. <BR /> This will show any index being written to in your environment. Verify that you see the index you desire to query in the results. </P> Mon, 06 Jan 2020 17:20:55 GMT mydog8it 2020-01-06T17:20:55Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479635#M134423 <P>Hi Community,<BR /> I've been using Splunk enterprise search and reporting since a month now and now when I try to search with the same old query which worked previously, the results doesn't even shows up. All i get is "No results found. Try expanding the time range." but I'm using time range of last 30 days.</P> <P>Can anyone please help me with this?</P> <P>Thanks,<BR /> Sid</P> Mon, 06 Jan 2020 15:45:51 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479635#M134423 siddharth1479 2020-01-06T15:45:51Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479636#M134424 <P>Would be beneficial posting a sample of the search you're using. This will usually happen in two cases:<BR /> 1. No data is available (perhaps no new data was indexed since it last worked or even the retention of the data you're looking for already deleted the old data)<BR /> 2. The field transformations you were using were changed and you cannot filter anymore the data (in this case I recommend you start cutting the search query you were using to make sure you're matching something, let's say for example you were using this search: <CODE>index=abc sourcetype=abc event=filtered | start count by host</CODE>, you can search for only index=abc that should give you an idea if you really have data there and the problem is not your query</P> Mon, 06 Jan 2020 16:51:49 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479636#M134424 gfreitas 2020-01-06T16:51:49Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479637#M134425 <P>Hi,<BR /> Thanks for the reply, as you said to cut down the search to only index, i'm still now able to see any data. I'm pretty much sure that data is being indexed as i can see it on my server logs.</P> <HR /> <P>eg: index="iam" User="*" ----&gt; Using this also wont show me any data </P> <HR /> <P>The query I'm using is this</P> <P>index="uam" User="*" earliest=-15m latest=now| rename date_hour AS Hour date_mday AS Day date_minute AS Minute date_month AS Month date_second AS Second date_wday AS WeekDay date_year AS Year date_zone AS TimeZone | fields _time Year Month Day WeekDay Hour Minute Second TimeZone host User _raw | dedup _time</P> <HR /> <P>Thanks,<BR /> Sid</P> Wed, 30 Sep 2020 03:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479637#M134425 siddharth1479 2020-09-30T03:35:56Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479638#M134426 <P>Try running this to see what indexes are being populated:</P> <PRE><CODE> |tstats count where index=* by index </CODE></PRE> <P>Use the past 24 hours in time picker. <BR /> This will show any index being written to in your environment. Verify that you see the index you desire to query in the results. </P> Mon, 06 Jan 2020 17:20:55 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479638#M134426 mydog8it 2020-01-06T17:20:55Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479639#M134427 <P>you have earliest hardcoded in your search bar and it's set to 15min. when you remove that and broaden your search to 30d, does that help at all?</P> <P>have you checked that field extractions are working properly? you have User=*, but it could be that something happened that the field extractions are broken somewhere? try just the <CODE>index=uam</CODE> (I also noticed that in one comment you put <CODE>iam</CODE> and another you put <CODE>uam</CODE>, so just double check for any typos) for a broader range and see the last time data came through (you can also use the <CODE>|tstats</CODE> trick that @mydog8it suggests, but I might add <CODE>|tstats max(_time) as max_time max(_indextime) as max_indextime where index=uam|convert ctime(max_time) ctime(max_indextime)</CODE> in order to get the last time and indextime for that index) . If you see that data has come in within the last 15 minutes or so, shorten your time frame and do <CODE>index=uam|fieldsummary</CODE> to see what fields are being extracted. </P> Mon, 06 Jan 2020 18:09:04 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479639#M134427 cmerriman 2020-01-06T18:09:04Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479640#M134428 <P>Try removing the hardcoded <CODE>earliest=-15m latest=now</CODE> as this overwrites the time you choose on the time picker</P> Tue, 07 Jan 2020 11:03:46 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479640#M134428 gfreitas 2020-01-07T11:03:46Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479641#M134429 <P>Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.</P> Tue, 07 Jan 2020 16:02:03 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479641#M134429 siddharth1479 2020-01-07T16:02:03Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479642#M134430 <P>Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.</P> Tue, 07 Jan 2020 16:02:20 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479642#M134430 siddharth1479 2020-01-07T16:02:20Z https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479643#M134431 <P>Did the same, still not able to get results. Need to contact my Splunk admin with the issue. Thanks for the help.</P> Tue, 07 Jan 2020 16:03:22 GMT https://community.splunk.com/t5/Splunk-Search/Data-not-being-displayed-with-previous-working-query/m-p/479643#M134431 siddharth1479 2020-01-07T16:03:22Z