Solved: Cant search real time and last 15 min on search he...

xisura · ‎12-05-2013

Hi Newbie here,

I setup a distributed search,and it successfully run, but when i search realtime (realtime 5min or 30mins) on search head it didnt show any results, i changed it to last 15 mins but no results again, I change it to all time then it shows all result and its updated, i dont know why theres no result on realtime in my search head,

Please help,
xisura

Damien_Dallimor · ‎12-05-2013

Throwing out some guesses here : Do you actually have events in the 15 min window(based on their index time) ? Are your timestamps being extracted correctly ? Is the index time on the events what you expect ?Are the machines in your architecture time synched ?

View solution in original post

xisura · ‎12-05-2013

hi @damien ,its now working,your right the machines time are not sync , so i config it and test it again and its now working thanks!! 😉

xisura · ‎12-05-2013

just to test if there are realtime events,i run realtime search in the indexer yes its working,but in the searchhead no, i will check if their time are sync....

Damien_Dallimor · ‎12-05-2013

Throwing out some guesses here : Do you actually have events in the 15 min window(based on their index time) ? Are your timestamps being extracted correctly ? Is the index time on the events what you expect ?Are the machines in your architecture time synched ?

xisura · ‎12-05-2013

when i perform non-realtime search like last 15min it shows no. of events (0 of 10,000 events matched) so no events display,but when i used all-time and used the same search query it shows all the events

Damien_Dallimor · ‎12-05-2013

What happens if you perform a non-realtime search over the last 15 minutes ? See any events ?

Cant search real time and last 15 min on search head

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!