Archive
Highlighted

Search not showing all events

New Member

Hi,

i do have the following problem:

index=atmo_pc sourcetype=SE10 Station=60

as you can see, my search is pretty basic. It is just a small part of a whole Dashboard, which depends on the selected Station. Furthermore events with Station=60 arent shown properly. Actually the result's 4 events if i press search (Year to date-Time-Picker).

if i modify the search like:

index=atmo_pc sourcetype=SE10 Station<61 Station>59

i receive more than 7000 events, which is the correct number of events.

So i cannot figure out why. I dont think it is a problem regarding the Field Extractions or any other settings. Is it a problem of the source? Thanks for any help!

Eric

Tags (1)
0 Karma
Highlighted

Re: Search not showing all events

SplunkTrust
SplunkTrust

After hitting this search index=atmo_pc sourcetype=SE10 Station<61 Station>59 what values do you get in the field sidebar for Station field?

Do you get only 60?

0 Karma
Highlighted

Re: Search not showing all events

New Member

yes after running the search i only get 60 for Station, which is a number not a string

0 Karma
Highlighted

Re: Search not showing all events

Explorer

Try to restart indexer.
Run this command in $SPLUNK_HOME/bin

./splunk restart

In case you are using forwarder, restart forwarder as well.

0 Karma
Highlighted

Re: Search not showing all events

New Member

the problem is, i do not have access to $SPLUNK_HOME/bin and neither to the forwarder

i have to solve it (if possible) differently

0 Karma