topic Re: Why are there no results found in a search while exploring the search tutorial? in Splunk Search

Why are there no results found in a search while exploring the search tutorial?

rogue_carrot — Sat, 23 Jun 2018 20:40:58 GMT

Hello Team Splunk,

I am following the simple search tutorial featuring logs in zip files from the fictitious company, "Buttercup Games". The problem is after 1) uploading the zip files, 2) viewing the sources in the data summary, and then 3) clicking on the source I do not 4) see any data in the search. This seems like I am missing something very important. So I wanted to check in with you all to see if you could help me figure out what is going wrong. Figure 1 below shows that there are no results in a search when there should be. Figure 2 shows that there are over thirty-thousand things in the log file that should probably appear in the search. What am I missing?

Figure 1: No results

Figure 2: 30K plus count for vendor_sales.log file - why doesn't anything show up in a search

The tutorial I am following is at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/SearchTutorial/Aboutthesearchapp#

Thank-you for reading this.

Re: Why are there no results found in a search while exploring the search tutorial?

adonio — Sat, 23 Jun 2018 21:29:10 GMT

you need to add index = <your_index> or index=* before your search
the administrator, that has admin role, does not have indexes search by default defined in its role

hope it helps

Re: Why are there no results found in a search while exploring the search tutorial?

niketn — Sun, 24 Jun 2018 06:29:52 GMT

@rogue_carrot also it would be better to unzip the log files to a folder and Monitor entire Folder using Splunk.

Once you have added the complete folder Splunk will give you an option to Start Searching, which will build the required query based on settings during Add Data Wizard.

http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk#Use_the_Add_Data_wizard

Re: Why are there no results found in a search while exploring the search tutorial?

rogue_carrot — Mon, 25 Jun 2018 01:37:26 GMT

I tried specifying an index with the wildcard, index=*, but this did not change anything. Still there are no results in the search. 😕 Please see the following screenshot.

Re: Why are there no results found in a search while exploring the search tutorial?

rogue_carrot — Mon, 25 Jun 2018 01:55:48 GMT

I figured out my problem. 🙂 Feels great...

In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂

Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.