topic Re: Why am I getting "No results found." for any search, even if the events counter increases? in Splunk Search

Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Fri, 26 Aug 2016 13:46:50 GMT

Hello,

I'm getting "No results found." whenever I search for any term in splunk.

I have 29,123,099 Events INDEXED and I was searching normally before today.

No matter what I search for, I always get no results found.

Can anyone please point me in the direction where to check ?

Thank you

Re: Why am I getting "No results found." for any search, even if the events counter increases?

inventsekar — Fri, 26 Aug 2016 17:02:07 GMT

maybe, user access issue. are you having splunk admin access? can you check your user role and capabilities?

Re: Why am I getting "No results found." for any search, even if the events counter increases?

sundareshr — Fri, 26 Aug 2016 17:07:51 GMT

Change time to All Time.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

micahkemp — Fri, 26 Aug 2016 17:24:19 GMT

Are you searching the correct index? Which index is your data in, and what is defined as your default search index?

Re: Why am I getting "No results found." for any search, even if the events counter increases?

jdonn_splunk — Fri, 26 Aug 2016 20:07:21 GMT

This can also be expected behavior from your search for instance, this returns 0 of ~500,000 events:

index=*   | where linecount > 1 | rex field=_raw "(?m)(?P^.*ESTABLISHED.*$)" | search footer

If you are still troubleshooting, just start with "index=* startminutesago=5" to see what you have access to.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Sat, 27 Aug 2016 09:59:36 GMT

Time is already set to All time

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Sat, 27 Aug 2016 10:00:51 GMT

I'm using Admin account. I used to use this account before in my search

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Sat, 27 Aug 2016 10:02:16 GMT

I have not changed the index. Can you please let me know how to change the index ?

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Sat, 27 Aug 2016 10:12:28 GMT

index=* startminutesago=5 did not return anything.

I have also tried index=* and did not get any thing.

The steps I used now to check the data are:

Step one: I open Splunk and I get this:

Then I click on "Data Summary" and I get:

When I click on the "192.168.100.1" host that contains all the events, I get this:

One last thing to note, I was using Splunk trial and then the trial period expired. I then switched to Splunk free.

I'm not using distributed deployment. It is just installed on one server.

Thank you for your help.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Sat, 27 Aug 2016 10:19:48 GMT

Another thing:

When I click on the Job button below the search box, I get:

Peer 421798-db1's search ended prematurely. Attempting to reconnect and resume.

(421798-db1) is the server name.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

sloshburch — Mon, 29 Aug 2016 19:13:25 GMT

Maybe add index=* to that search to see if the data for that IP still exists. If still nothing than remove the host part and just search index=*. If that still fails then check that your role still has access to search all indexes within the role definition menu in settings.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

wpreston — Mon, 29 Aug 2016 19:31:27 GMT

The free version of Splunk has an indexing limit of 500 Mb per day. Did you perhaps index more than that after the trial license expired? If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.

See this document about licensing for more information if you think this is what happened.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Tue, 30 Aug 2016 13:42:03 GMT

I will check this scenario. However, in the most busy day, I got 40 Mb of data . However, I can see other warnings in the license usage report.

Thank you for pointing me in the right direction. I will check I get back to you with the results.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Tue, 30 Aug 2016 13:43:02 GMT

I have tried all of what you have mentioned. unfortunately, still not working. I'm checking now the licensing report.

Thank you for your help.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

sloshburch — Tue, 29 Sep 2020 10:51:32 GMT

Check Settings -> Indexes to make sure there's events in the indexes. If you then can't see anything if you search that particular index, then post a screenshot of your user's role definition. Also check index=_internal log_level=ERROR to see if there's a problem. Lastly, since this is a local play environment, it might be easiest to just uninstall/reinstall Splunk and re-add the data thereby starting clean.

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Tue, 29 Sep 2020 10:51:38 GMT

Events are added to the main index and I can see them accumulating normally.

When I tried to see my user's role definition, I couldn't because this is the free version and user roles are not allowed.

Checking index=_internal log_level=ERROR, I found some errors:

2016-08-31 15:39:05,871 ERROR   [57c6ddf9ba19e01f4ee80] admin:1775 - [HTTP 402] Current license does not allow the requested action
Traceback (most recent call last):
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\admin.py", line 1745, in listEntities
    entities = en.getEntities(endpoint_path, **args)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 129, in getEntities
    atomFeed = _getEntitiesAtomFeed(entityPath, namespace, owner, search, count, offset, sort_key, sort_dir, sessionKey, uri, hostPath, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 222, in _getEntitiesAtomFeed
    serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 513, in simpleRequest
    raise splunk.LicenseRestriction
LicenseRestriction: [HTTP 402] Current license does not allow the requested action

================================================================================================================

2016-08-30 15:50:00,313 ERROR   [57c58f084c19e01492278] config:132 - [HTTP 401] Client is not authenticated
Traceback (most recent call last):
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\config.py", line 130, in getServerZoneInfo
    return times.getServerZoneinfo()
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\times.py", line 158, in getServerZoneinfo
    serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz')
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 510, in simpleRequest
    raise splunk.AuthenticationFailed
AuthenticationFailed: [HTTP 401] Client is not authenticated

host = 677878-db1 source = C:\Program Files\Splunk\var\log\splunk\web_service.log sourcetype = splunk_web_service

================================================================================================================

2016-08-30 15:38:12,792 ERROR   [57c58c44c9bbef1fc7f0] utility:49 - name=javascript, class=Splunk.Error, lineNumber=586, message=Uncaught TypeError: e.defaultDrilldown is not a function, fileName=http://192.168.100.12:8000/en-US/static/@debde650d26e/js/licenseusage.js

================================================================================================================

Thank you

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Wed, 31 Aug 2016 13:49:51 GMT

I also have this warning in the license manager:

Severity    Time    Message Indexer Pool    Stack   Category
Correct by midnight to avoid violation Learn more   This pool contains 1 slave/s in violation       auto_generated_pool_free    free    pool_violated_slave_count

Re: Why am I getting "No results found." for any search, even if the events counter increases?

sloshburch — Thu, 01 Sep 2016 12:32:09 GMT

What did you see on Settings -> Licensing -> Usage Report? Screen shot maybe?

Also, did you switch to the Free License or did the license just expire? Make sure you've done this: http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/MoreaboutSplunkFree#How_do_I_switch_to_Splunk_Free.3F

Re: Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah — Thu, 01 Sep 2016 12:49:55 GMT

Hello SloshBurch,

The license expired, then I switched to the free account as per the instructions you sent. This was 6 days ago.

A screenshot of the license usage:

As for the warnings:

I can't clear these warning as there is no more details for them. The warning are:

Thank you so much for your help