AppD Archive

Buggy Event Search

CommunityUser
Splunk Employee
Splunk Employee

Hi,

it seems the event search is buggy and delivers inconsistent result.

For example: 

I am searching for events on 03/26/15 between 1pm and 8pm, I get 22 events.

When I am searching for events on 03/26/15 between 12pm and 8pm, I get 6 events.

When I am searching for events on the whole day I got not results at all! (appendix)

How is this possible? The larger timerange should contain at least so many events as the smaller timerage.

Is there another way to search event.

Regards,

Thomas

0 Karma

Arun_Dasetty
Super Champion

Hi Thomas,

I have checked similar case in local and could not reproduce the issue as referred in below screenshots, can you check the filters section in middle panel and see how it goes with no filters selected once?

image.png

image.png

image.png

Regards,

Arun

0 Karma

CommunityUser
Splunk Employee
Splunk Employee

With no filter selected I got results for the whole day (but there to many result to check, way more than 10k).

As soon as I set a filter to "Application Change" and "Discovery" I got the problem I discribes in my post.

Maybe there is a filter issue?

0 Karma

Arun_Dasetty
Super Champion

Hi  Thomas,

Yes that is what i suspected hence i asked to check filters panel it looks the corresponding filters are not auto repfilled when time range is changed somehow in your as that is not happening in our case, Hope that clarifies.

Regards,

Arun

0 Karma

CommunityUser
Splunk Employee
Splunk Employee

So I set the timerange to one day, clear all filter (Clear Criteria) and search --> results look ok.

I just checked my filter --> no results for the timerange

Adjust the timerage to one hour --> got results!!

So from my point of view there is nothing to clearify! It just do not work!

So I have to change to see the event of these categories over a timerange of one day.

How can I see these events?

0 Karma

Arun_Dasetty
Super Champion

Hi Thomos,

You would need to select corresponding (say: agent diagnostics events) filters in "show Filters"  pane in middle panel Or select buttong "Clear criteria" which shows all events, check if that clarifies your query.

If you could not locate appropriate filters, provide screenshot with better resolution as it is not clear from initial screenshots the type of events we are referring in UI

Regards,

Arun

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...