topic Re: Performance check in Splunk Search

Performance check- How can I check why I'm not getting any results?

NizanCohen — Wed, 02 Nov 2022 12:12:53 GMT

Hi all.

I use Splunk on my workplace and recently I feel like it's performance is decreasing. Basic search queries like my username or email address would provide results, now it wouldn't.

Doesn't matter the time frame I choose, zero events.

I was told that an app called "estreamer" was down and one of the infrastructure worker fixed it and claimed to restore all missing data. It was last Thursday. Sadly, he's not familiar with this system so I need to address the issue when I talk with him.

Today, I still cannot search these basic strings, it gives zero events.

Any idea how I check what's wrong so I can tell the infra worker to fix certain issue/index/app?

Re: Performance check

gcusello — Wed, 02 Nov 2022 08:26:23 GMT

Hi @NizanCohen,

are you using the estreamer TA (https://splunkbase.splunk.com/app/3662) from splunkbase?

So, pleasae, check if you have today's events in the 11th of february.

If you have today's events with timestamp of 11th of february means that you have a wrong timestamp recognition that you can solve using an add-on from splunkbase or setting the TIME_FORMAT on your indexers or (if present) Heavy Forwarders.

Ciao.

Giuseppe

Re: Performance check

NizanCohen — Wed, 02 Nov 2022 12:34:33 GMT

Not sure about the app, I don't find it on the upper left "app" menu.

But, if I search for index=estreamer I get events..

Other question, how can I search an index that was recently stopped being used? maybe that will give me the needed information.. even though, searching the basic string with "all time" would not return anything..

Re: Performance check

gcusello — Wed, 02 Nov 2022 13:13:00 GMT

Hi @NizanCohen,

you cannot find this app in the app list because it isn't visible, so you have to search it in [Apps > manage Apps].

About the estreamer problem, is it solved or not?

if yes, please accept one answer for the other people of Community.

About the other question, don't add a new question to another one, because in this way, less people will help you, it's always better to open a new Question.

Anyway, if you search index=<your_index> and you don't have any event with "All Time", this means that you haven't any event on that index, so you cannot search anything.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Performance check

NizanCohen — Wed, 02 Nov 2022 13:16:22 GMT

No, I cannot find the estreamer app in "manage apps".

Any other idea why I experience this issue?

Re: Performance check

gcusello — Wed, 02 Nov 2022 13:22:39 GMT

Hi @NizanCohen,

as I said, you need an app or an add-on to parse your logs, so you have two solutions:

install one add-on from Splunkbase (e.g. the one I hinted),
create your own parsing rules.

if your problem is only timestamp, you could add TIME_FORMAT to your sourcetyoe and quickly solve your need, otherwise, it's easier to install a TA from Splunkbase.

Ciao.

Giuseppe